Merge remote-tracking branch 'origin/master' into topic/seth/smb

# Conflicts: # testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log # testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log # testing/btest/Baseline/plugins.hooks/output # testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log # testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
2025-10-03 15:18:20 +00:00 · 2016-07-30 01:58:23 -04:00 · 2016-07-30 01:58:23 -04:00 · da7ec8064b
commit da7ec8064b
parent fee3af419b 4ad5d9073a
416 changed files with 27341 additions and 26258 deletions
--- a/90
+++ b/90
@ -1,4 +1,94 @@
 2.4-723 | 2016-07-26 15:04:26 -0700
  * Add error events to input framework. (Johanna Amann)
    This change introduces error events for Table and Event readers.
    Users can now specify an event that is called when an info,
    warning, or error is emitted by their input reader. This can,
    e.g., be used to raise notices in case errors occur when reading
    an important input stream.
    Example:
        event error_event(desc: Input::TableDescription, msg: string, level: Reporter::Level)
            {
            ...
            }
        event bro_init()
            {
            Input::add_table([$source="a", $error_ev=error_event, ...]);
            }
     Addresses BIT-1181. 
  * Calling Error() in an input reader now automatically will disable
    the reader and return a failure in the Update/Heartbeat calls.
    (Johanna Amann)
  * Convert all errors in the ASCII formatter into warnings (to show
    that they are non-fatal. (Johanna Amann)
  * Enable SQLite shared cache mode. This allows all threads accessing
    the same database to share sqlite objects. See
    https://www.sqlite.org/sharedcache.html. Addresses BIT-1325.
    (Johanna Amann)
  * NetControl: Adjust default priority of ACTION_DROP hook to standad
    level. (Johanna Amann)
  * Fix types when constructing SYN_packet record. Fixes BIT-1650.
    (Grant Moyer).
 2.4-715 | 2016-07-23 07:27:05 -0700
  * SQLite writer: Remove unused string formatting function. (Johanna Amann)
  * Deprecated the ElasticSearch log writer. (Johanna Amann)
 2.4-709 | 2016-07-15 09:05:20 -0700
  * Change Bro's hashing for short inputs and Bloomfilters from H3 to
    Siphash, which produces much better results for HLL in particular.
    (Johanna Amann)
  * Fix a long-standing bug which truncated hash values to 32-bit on
    most machines. (Johanna Amann)
  * Fixes to HLL. Addresses BIT-1612. (Johanna Amann)
  * Add test checking the quality of HLL. (Johanna Amann)
  * Remove the -K/-J options for setting keys. (Johanna Amann)
  * SSL: Fix memory management problem. (Johanna Amann)
 2.4-693 | 2016-07-12 11:29:17 -0700
  * Change TCP analysis to process connections without the initial SYN as
    non-partial connections. Addresses BIT-1492. (Robin Sommer).
 2.4-691 | 2016-07-12 09:58:38 -0700
  * SSL: add support for signature_algorithms extension. (Johanna
    Amann)
 2.4-688 | 2016-07-11 11:10:33 -0700
  * Disable broker by default. To enable it, use --enable-broker.
    Addresses BIT-1645. (Daniel Thayer)
 2.4-686 | 2016-07-08 19:14:43 -0700
  * Added flagging of retransmission to the connection history.
    Addresses BIT-977. (Robin Sommer)
 2.4-683 | 2016-07-08 14:55:04 -0700
  * Extendign connection history field to flag with '^' when Bro flips
    a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
 2.4-680 | 2016-07-06 09:18:21 -0700
  * Remove ack_above_hole() event, which was a subset of content_gap
--- a/35
+++ b/35
@ -13,16 +13,21 @@ New Dependencies
 - Bro now requires a compiler with C++11 support for building the
  source code.
 - Bro now requires the C++ Actor Framework, CAF, which must be
  installed first. See http://actor-framework.org.
 - Bro now requires Python instead of Perl to compile the source code.
- The pcap buffer size can set through the new option Pcap::bufsize.
+- When enabling Broker (which is disabled by default), Bro now requires
  version 0.14 of the C++ Actor Framework.
 Log Changes
 -----------
 - Connections
  - The 'history' field gains two new flags: '^' indicates that Bro
    heuristically flipped to direction of the connection. 't/T' indicates
    the first TCP payload retransmission from originator or responder,
    respectively.
 - DNS
  - New 'rtt' field to indicate the round trip time between when a
@ -62,6 +67,10 @@ New Functionality
  STARTTLS sessions, handing them over to TLS analysis. The analyzer
  does not yet analyze any further IMAP/XMPP content.
 - The new event ssl_extension_signature_algorithm allows access to the
  TLS signature_algorithms extension that lists client supported signature
  and hash algorithm pairs.
 - Bro now tracks VLAN IDs. To record them inside the connection log,
  load protocols/conn/vlan-logging.bro.
@ -133,6 +142,11 @@ New Functionality
    - redis: An experimental log writer for Redis.
    - tcprs: An TCP-level analyzer detecting retransmissions, reordering, and more.
 - The pcap buffer size can be set through the new option Pcap::bufsize.
 - Input framework readers Table and Event can now define a custom
  event to receive logging messages.
 Changed Functionality
 ---------------------
@ -157,6 +171,12 @@ Changed Functionality
  filled out in the first place) has been split into to
  "orig_filenames" and "resp_filenames".
 - TCP analysis was changed to process connections without the initial
  SYN packet. In the past, connections without a full handshake were
  treated as partial, meaning that most application-layer analyzers
  would refuse to inspect the payload. Now, Bro will consider these
  connections as complete and all analyzers will process them notmally.
 Removed Functionality
 ---------------------
@ -168,6 +188,9 @@ Removed Functionality
    - The event ack_above_hole() has been removed, as it was a subset
      of content_gap() and led to plenty noise.
    - The command line options --set-seed and --md5-hashkey have been
      removed.
 Deprecated Functionality
 ------------------------
@ -177,6 +200,10 @@ Deprecated Functionality
      decode_base64() and encode_base64(), which take an optional
      parameter to change the Base64 alphabet.
    - The ElasticSearch log writer hasn't been maintained for a while
      and is now deprecated. It will be removed with the next release.
 Bro 2.4
 =======
--- a/2
+++ b/2
@ -1 +1 @@
-2.4-680
+2.4-723
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 9319932eb10a902ada7e8bc08da21f9beed8ca4b
+Subproject commit b7932813c6bc8a711334bdf2c4beecd7c5e351ca
--- a/aux/plugins
+++ b/aux/plugins
@ -1 +1 @@
-Subproject commit dbacbe51ce5d07f61ccfea3256616408351b6481
+Subproject commit 3aef01c600b29e936348798bc27bdfb57ddf4053
--- a/20
+++ b/20
@ -41,7 +41,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --enable-perftools-debug use Google's perftools for debugging
    --enable-jemalloc      link against jemalloc
    --enable-ruby          build ruby bindings for broccoli (deprecated)
-    --disable-broker       disable use of the Broker communication library
+    --enable-broker        enable use of the Broker communication library
                           (requires C++ Actor Framework)
    --disable-broccoli     don't build or install the Broccoli library
    --disable-broctl       don't install Broctl
    --disable-auxtools     don't build or install auxiliary tools
@ -57,10 +58,10 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --with-flex=PATH       path to flex executable
    --with-bison=PATH      path to bison executable
    --with-python=PATH     path to Python executable
    --with-caf=PATH        path to C++ Actor Framework installation
                           (a required Broker dependency)
  Optional Packages in Non-Standard Locations:
    --with-caf=PATH        path to C++ Actor Framework installation
                           (a required Broker dependency)
    --with-geoip=PATH      path to the libGeoIP install root
    --with-perftools=PATH  path to Google Perftools install root
    --with-jemalloc=PATH   path to jemalloc install root
@ -121,13 +122,12 @@ append_cache_entry BRO_ROOT_DIR         PATH   $prefix
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/broctl
 append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
 append_cache_entry BRO_ETC_INSTALL_DIR  PATH   $prefix/etc
 append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
 append_cache_entry BROKER_PYTHON_BINDINGS BOOL false
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
-append_cache_entry ENABLE_BROKER        BOOL   true
+append_cache_entry ENABLE_BROKER        BOOL   false
 append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
@ -162,7 +162,7 @@ while [ $# -ne 0 ]; do
            append_cache_entry BRO_ROOT_DIR         PATH   $optarg
            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
-            if [ -z "$user_disabled_broker" ]; then
+            if [ -n "$user_enabled_broker" ]; then
                append_cache_entry BROKER_PYTHON_HOME   PATH   $optarg
            fi
            ;;
@ -199,10 +199,12 @@ while [ $# -ne 0 ]; do
        --enable-jemalloc)
            append_cache_entry ENABLE_JEMALLOC     BOOL   true
            ;;
        --enable-broker)
            append_cache_entry ENABLE_BROKER        BOOL   true
            append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
            user_enabled_broker="true"
            ;;
        --disable-broker)
            append_cache_entry ENABLE_BROKER        BOOL   false
            remove_cache_entry BROKER_PYTHON_HOME
            user_disabled_broker="true"
            ;;
        --disable-broccoli)
            append_cache_entry INSTALL_BROCCOLI     BOOL   false
--- a/doc/components/bro-plugins/elasticsearch-deprecated/README.rst
+++ b/doc/components/bro-plugins/elasticsearch-deprecated/README.rst
@ -0,0 +1 @@
 ../../../../aux/plugins/elasticsearch-deprecated/README
--- a/doc/components/bro-plugins/elasticsearch/README.rst
+++ b/doc/components/bro-plugins/elasticsearch/README.rst
@ -1 +0,0 @@
 ../../../../aux/plugins/elasticsearch/README
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@ -32,7 +32,6 @@ before you begin:
    * Libz
    * Bash (for BroControl)
    * Python (for BroControl)
    * C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
 To build Bro from source, the following additional dependencies are required:
@ -47,8 +46,6 @@ To build Bro from source, the following additional dependencies are required:
    * zlib headers
    * Python
 To install CAF, first download the source code of the required version from: https://github.com/actor-framework/actor-framework/releases
 To install the required dependencies, you can use:
 * RPM/RedHat-based Linux:
@ -98,12 +95,12 @@ To install the required dependencies, you can use:
  component).
  OS X comes with all required dependencies except for CMake_, SWIG_,
-  OpenSSL, and CAF. (OpenSSL used to be part of OS X versions 10.10
+  and OpenSSL. (OpenSSL used to be part of OS X versions 10.10
  and older, for which it does not need to be installed manually. It
  was removed in OS X 10.11). Distributions of these dependencies can
  likely be obtained from your preferred Mac OS X package management
  system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for
-  Homebrew, the ``cmake``, ``swig``, ``openssl`` and ``caf`` packages
+  Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages
  provide the required dependencies.
@ -113,6 +110,7 @@ Optional Dependencies
 Bro can make use of some optional libraries and tools if they are found at
 build time:
    * C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
    * LibGeoIP (for geolocating IP addresses)
    * sendmail (enables Bro and BroControl to send mail)
    * curl (used by a Bro script that implements active HTTP)
--- a/doc/logs/index.rst
+++ b/doc/logs/index.rst
@ -244,7 +244,7 @@ crossreference that with the UIDs in the ``http.log`` file.
 .. btest:: using_bro
-   @TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep VW0XPVINV8a"
+   @TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11"
 As you can see there are two HTTP ``GET`` requests within the
 session that Bro identified and logged.  Given that HTTP is a stream
--- a/scripts/base/frameworks/input/main.bro
+++ b/scripts/base/frameworks/input/main.bro
@ -103,6 +103,17 @@ export {
 		## it is skipped.
 		pred: function(typ: Input::Event, left: any, right: any): bool &optional;
 		## Error event that is raised when an information, warning or error
 		## is raised by the input stream. If the level is error, the stream will automatically
 		## be closed.
 		## The event receives the Input::TableDescription as the first argument, the
 		## message as the second argument and the Reporter::Level as the third argument.
 		##
 		## The event is raised like if it had been declared as follows:
 		## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
 		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
 		error_ev: any &optional;
 		## A key/value table that will be passed to the reader.
 		## Interpretation of the values is left to the reader, but
 		## usually they will be used for configuration purposes.
@ -146,6 +157,17 @@ export {
 		## all fields, or each field value as a separate argument).
 		ev: any;
 		## Error event that is raised when an information, warning or error
 		## is raised by the input stream. If the level is error, the stream will automatically
 		## be closed.
 		## The event receives the Input::EventDescription as the first argument, the
 		## message as the second argument and the Reporter::Level as the third argument.
 		##
 		## The event is raised like it had been declared as follows:
 		## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
 		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
 		error_ev: any &optional;
 		## A key/value table that will be passed to the reader.
 		## Interpretation of the values is left to the reader, but
 		## usually they will be used for configuration purposes.
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@ -125,6 +125,14 @@ export {
 	##          the inserted block.
 	global get_catch_release_info: function(a: addr) : BlockInfo;
 	## Event is raised when catch and release cases management of an IP address because no
 	## activity was seen within the watch_until period.
 	##
 	## a: The address that is no longer being managed.
 	##
 	## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
 	global catch_release_forgotten: event(a: addr, bi: BlockInfo);
 	## If true, catch_release_seen is called on the connection originator in new_connection,
 	## connection_established, partial_connection, connection_attempt, connection_rejected,
 	## connection_reset and connection_pending
@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval
 		{
 		local log = populate_log_record(idx, t[idx], FORGOTTEN);
 		Log::write(CATCH_RELEASE, log);
 		event NetControl::catch_release_forgotten(idx, t[idx]);
 		}
@endif
--- a/scripts/base/frameworks/notice/actions/drop.bro
+++ b/scripts/base/frameworks/notice/actions/drop.bro
@ -19,7 +19,7 @@ export {
 	};
 }
-hook notice(n: Notice::Info)
+hook notice(n: Notice::Info) &priority=-5
 	{
 	if ( ACTION_DROP in n$actions )
 		{
--- a/scripts/base/frameworks/reporter/main.bro
+++ b/scripts/base/frameworks/reporter/main.bro
@ -17,22 +17,14 @@ export {
 	## The reporter logging stream identifier.
 	redef enum Log::ID += { LOG };
 	## An indicator of reporter message severity.
 	type Level: enum {
 		## Informational, not needing specific attention.
 		INFO,
 		## Warning of a potential problem.
 		WARNING,
 		## A non-fatal error that should be addressed, but doesn't
 		## terminate program execution.
 		ERROR
 	};
 	## The record type which contains the column fields of the reporter log.
 	type Info: record {
 		## The network time at which the reporter event was generated.
 		ts:       time   &log;
-		## The severity of the reporter message.
+		## The severity of the reporter message. Levels are INFO for informational
 		## messages, not needing specific attention; WARNING for warning of a potential
 		## problem, and ERROR for a non-fatal error that should be addressed, but doesn't
 		## terminate program execution.
 		level:    Level  &log;
 		## An info/warning/error message that could have either been
 		## generated from the internal Bro core or at the scripting-layer.
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3434,6 +3434,23 @@ export {
 	};
 }
 module SSL;
 export {
 	type SignatureAndHashAlgorithm: record {
 		HashAlgorithm: count; ##< Hash algorithm number
 		SignatureAlgorithm: count; ##< Signature algorithm number
 	};
 }
 module GLOBAL;
 ## A vector of Signature and Hash Algorithms.
 ##
 ## .. todo:: We need this type definition only for declaring builtin functions
 ##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
 ##    directly and then remove this alias.
 type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
 module X509;
 export {
 	type Certificate: record {
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@ -87,8 +87,10 @@ export {
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
 		## c       packet with a bad checksum
 		## t       packet with retransmitted payload
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
 		## ^       connection direction was flipped by Bro's heuristic
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@ -57,6 +57,27 @@ export {
 		[2] = "fatal",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	## Mapping between numeric codes and human readable strings for hash
 	## algorithms.
 	const hash_algorithms: table[count] of string = {
 		[0] = "none",
 		[1] = "md5",
 		[2] = "sha1",
 		[3] = "sha224",
 		[4] = "sha256",
 		[5] = "sha384",
 		[6] = "sha512",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	## Mapping between numeric codes and human readable strings for signature
 	## algorithms.
 	const signature_algorithms: table[count] of string = {
 		[0] = "anonymous",
 		[1] = "rsa",
 		[2] = "dsa",
 		[3] = "ecdsa",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	## Mapping between numeric codes and human readable strings for alert
 	## descriptions.
 	const alert_descriptions: table[count] of string = {
--- a/src/3rdparty
+++ b/src/3rdparty
@ -1 +1 @@
-Subproject commit f1eaca0e085a8b37ec6a32c7e1b0e9571414a2e3
+Subproject commit 0bbd6e8fd0e1ad6dc3002244d11c79d4bc63831d
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -348,6 +348,7 @@ set(bro_SRCS
    PacketDumper.cc
    strsep.c
    modp_numtoa.c
    siphash24.c
    threading/BasicThread.cc
    threading/Formatter.cc
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -773,6 +773,8 @@ void Connection::FlipRoles()
 		root_analyzer->FlipRoles();
 	analyzer_mgr->ApplyScheduledAnalyzers(this);
 	AddHistory('^');
 	}
 unsigned int Connection::MemoryAllocation() const
--- a/src/H3.h
+++ b/src/H3.h
@ -1,143 +0,0 @@
 // Copyright 2004, 2005
 // The Regents of the University of California
 // All Rights Reserved
 // 
 // Permission to use, copy, modify and distribute any part of this
 // h3.h file, without fee, and without a written agreement is hereby
 // granted, provided that the above copyright notice, this paragraph
 // and the following paragraphs appear in all copies.
 // 
 // IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY
 // PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
 // DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS
 // SOFTWARE, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF
 // THE POSSIBILITY OF SUCH DAMAGE.
 // 
 // THE SOFTWARE PROVIDED HEREIN IS ON AN "AS IS" BASIS, AND THE
 // UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION TO PROVIDE MAINTENANCE,
 // SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. THE UNIVERSITY
 // OF CALIFORNIA MAKES NO REPRESENTATIONS AND EXTENDS NO WARRANTIES
 // OF ANY KIND, EITHER IMPLIED OR EXPRESS, INCLUDING, BUT NOT LIMITED
 // TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
 // PARTICULAR PURPOSE, OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE
 // ANY PATENT, TRADEMARK OR OTHER RIGHTS.
 // 
 // The h3.h file is developed by the CoralReef development team at the
 // University of California, San Diego under the Cooperative Association
 // for Internet Data Analysis (CAIDA) Program.  Support for this effort was
 // provided by the CAIDA grant NCR-9711092, DARPA NGI Contract
 // N66001-98-2-8922, DARPA NMS Grant N66001-01-1-8909, NSF Grant ANI-013710
 // and by CAIDA members.
 // 
 // Report bugs and suggestions to coral-bugs@caida.org.
 // H3 hash function family
 // C++ template implementation by Ken Keys (kkeys@caida.org)
 //
 // Usage:
 //    #include <h3.h>
 //    const H3<T, N> h;
 //    T hashval = h(data, size [, offset]);
 // (T) is the type to be returned by the hash function; must be an integral
 //     type, e.g. uint32_t.
 // (N) is the size of the data in bytes (if data is a struct, beware of
 //     padding).
 // The hash function hashes the (size) bytes of the data pointed to by (data),
 //     starting at (offset).  Note: offset affects the hash value, so
 //     h(data, size, offset) is not the same as h(data+offset, size, 0).
 //     Typically (size) is N and (offset) is 0, but other values can be used to
 //     hash a substring of the data.  Hashes of substrings can be bitwise-XOR'ed
 //     together to get the same result as hashing the full string.
 // Any number of hash functions can be created by creating new instances of H3,
 //     with the same or different template parameters.  The hash function
 //     constructor takes a seed as argument which defaults to a call to
 //     bro_random().
 #ifndef H3_H
 #define H3_H
 #include <climits>
 #include <cstring>
 // The number of values representable by a byte.
 #define H3_BYTE_RANGE (UCHAR_MAX+1)
 template <typename T, int N>
 class H3 {
 public:
 	H3()
 		{
 		Init(false, 0);
 		}
 	H3(T seed)
 		{
 		Init(true, seed);
 		}
 	void Init(bool have_seed, T seed)
 		{
 		T bit_lookup[N * CHAR_BIT];
 		for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ )
 			{
 			bit_lookup[bit] = 0;
 			for ( size_t i = 0; i < sizeof(T)/2; i++ )
 				{
 				seed = have_seed ? bro_prng(seed) : bro_random();
 				// assume random() returns at least 16 random bits
 				bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF);
 				}
 			}
 		for ( size_t byte = 0; byte < N; byte++ )
 			{
 			for ( unsigned val = 0; val < H3_BYTE_RANGE; val++ )
 				{
 				byte_lookup[byte][val] = 0;
 				for ( size_t bit = 0; bit < CHAR_BIT; bit++ )
 					// Does this mean byte_lookup[*][0] == 0? -RP
 					if (val & (1 << bit))
 						byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit];
 				}
 			}
 		}
 	T operator()(const void* data, size_t size, size_t offset = 0) const
 		{
 		const unsigned char *p = static_cast<const unsigned char*>(data);
 		T result = 0;
 		// loop optmized with Duff's Device
 		unsigned n = (size + 7) / 8;
 		switch ( size % 8 ) {
 		case 0: do { result ^= byte_lookup[offset++][*p++];
 		case 7:      result ^= byte_lookup[offset++][*p++];
 		case 6:      result ^= byte_lookup[offset++][*p++];
 		case 5:      result ^= byte_lookup[offset++][*p++];
 		case 4:      result ^= byte_lookup[offset++][*p++];
 		case 3:      result ^= byte_lookup[offset++][*p++];
 		case 2:      result ^= byte_lookup[offset++][*p++];
 		case 1:      result ^= byte_lookup[offset++][*p++];
 				} while ( --n > 0 );
 			}
 		return result;
 		}
 	friend bool operator==(const H3& x, const H3& y)
 		{
 		return ! std::memcmp(x.byte_lookup, y.byte_lookup, N * H3_BYTE_RANGE);
 		}
 	friend bool operator!=(const H3& x, const H3& y)
 		{
 		return ! (x == y);
 		}
 private:
 	T byte_lookup[N][H3_BYTE_RANGE];
 };
 #endif //H3_H
--- a/src/Hash.cc
+++ b/src/Hash.cc
@ -18,15 +18,15 @@
 #include "bro-config.h"
 #include "Hash.h"
 #include "Reporter.h"
-#include "H3.h"
+#include "siphash24.h"
 const H3<hash_t, UHASH_KEY_SIZE>* h3;
 void init_hash_function()
 	{
 	// Make sure we have already called init_random_seed().
-	ASSERT(hmac_key_set);
+	if ( ! (hmac_key_set && siphash_key_set) )
-	h3 = new H3<hash_t, UHASH_KEY_SIZE>();
+		reporter->InternalError("Bro's hash functions aren't fully initialized");
 	}
 HashKey::HashKey(bro_int_t i)
@ -166,12 +166,14 @@ hash_t HashKey::HashBytes(const void* bytes, int size)
 	{
 	if ( size <= UHASH_KEY_SIZE )
 		{
-		// H3 doesn't check if size is zero
+		hash_t digest;
-		return ( size == 0 ) ? 0 : (*h3)(bytes, size);
+		siphash(&digest, (const uint8_t *)bytes, size, shared_siphash_key);
 		return digest;
 		}
 	// Fall back to HMAC/MD5 for longer data (which is usually rare).
-	hash_t digest[16];
+	assert(sizeof(hash_t) == 8);
 	hash_t digest[2]; // 2x hash_t (uint64) = 128 bits = 32 hex chars = sizeof md5
 	hmac_md5(size, (const unsigned char*) bytes, (unsigned char*) digest);
 	return digest[0];
 	}
--- a/src/Hash.h
+++ b/src/Hash.h
@ -81,7 +81,8 @@ protected:
 	void* key;
 	int is_our_dynamic;
-	int size, hash;
+	int size;
 	hash_t hash;
 };
 extern void init_hash_function();
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -300,7 +300,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		{
 		va_list aq;
 		va_copy(aq, ap);
-		int n = vsnprintf(buffer, size, fmt, aq);
+		int n = safe_vsnprintf(buffer, size, fmt, aq);
 		va_end(aq);
 		if ( postfix )
@ -321,7 +321,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 	if ( postfix )
 		// Note, if you change this fmt string, adjust the additional
 		// buffer size above.
-		sprintf(buffer + strlen(buffer), " [%s]", postfix);
+		safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix);
 	if ( event && via_events && ! in_error_handler )
 		{
--- a/src/Reporter.h
+++ b/src/Reporter.h
@ -32,12 +32,7 @@ protected:
 	InterpreterException()	{}
 };
 // Check printf-style variadic arguments if we can.
 #if __GNUC__
 #define FMT_ATTR __attribute__((format(printf, 2, 3))) // sic! 1st is "this" I guess.
 #else
 #define FMT_ATTR
 #endif
 class Reporter {
 public:
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -1232,6 +1232,9 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 	Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
 	conn->SetTransport(tproto);
 	if ( flip )
 		conn->AddHistory('^');
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
 		{
 		conn->Done();
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@ -5,6 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro SSL)
 bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
 bro_plugin_bif(types.bif)
 bro_plugin_bif(events.bif)
 bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac
 	proc-client-hello.pac
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -83,7 +83,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_extension_signature_algorithm
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@ -99,7 +99,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name ssl_server_curve
+##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@ -116,9 +116,26 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name ssl_server_curve
+##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 ## Generated for an Signature Algorithms extension. This TLS extension
 ## is defined in :rfc:`5246` and sent by the client in the initial
 ## handshake. It gives the list of signature and hash algorithms supported by the
 ## client.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## signature_algorithms: List of supported signature and hash algorithm pairs.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
 ## The curve is sent by the server in the ServerKeyExchange message as defined
 ## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -102,6 +102,26 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 	function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
 		%{
 		VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
 		if ( supported_signature_algorithms )
 			{
 			for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i )
 				{
 				RecordVal* el = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
 				el->Assign(0, new Val((*supported_signature_algorithms)[i]->HashAlgorithm(), TYPE_COUNT));
 				el->Assign(1, new Val((*supported_signature_algorithms)[i]->SignatureAlgorithm(), TYPE_COUNT));
 				slist->Assign(i, el);
 				}
 			}
 		BifEvent::generate_ssl_extension_signature_algorithm(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, slist);
 		return true;
 		%}
 	function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool
 		%{
 		VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
@ -247,6 +267,10 @@ refine typeattr EllipticCurves += &let {
 	proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list);
 };
 refine typeattr SignatureAlgorithm += &let {
 	proc : bool = $context.connection.proc_signature_algorithm(rec, supported_signature_algorithms);
 }
 refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 	proc : bool = $context.connection.proc_apnl(rec, protocol_name_list);
 };
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@ -458,6 +458,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0);
 #		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
@ -501,6 +502,16 @@ type EcPointFormats(rec: HandshakeRecord) = record {
 	point_format_list: uint8[length];
 };
 type SignatureAndHashAlgorithm() = record {
 	HashAlgorithm: uint8;
 	SignatureAlgorithm: uint8;
 }
 type SignatureAlgorithm(rec: HandshakeRecord) = record {
 	length: uint16;
 	supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
 }
 type EllipticCurves(rec: HandshakeRecord) = record {
 	length: uint16;
 	elliptic_curve_list: uint16[length/2];
--- a/src/analyzer/protocol/ssl/tls-handshake.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake.pac
@ -3,6 +3,11 @@
 %include binpac.pac
 %include bro.pac
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
 %}
 analyzer TLSHandshake withcontext {
 	connection: Handshake_Conn;
 	flow:       Handshake_Flow;
--- a/src/analyzer/protocol/ssl/types.bif
+++ b/src/analyzer/protocol/ssl/types.bif
@ -0,0 +1,5 @@
 module SSL;
 type SignatureAndHashAlgorithm: record;
 module GLOBAL;
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -105,11 +105,11 @@ static RecordVal* build_syn_packet_val(int is_orig, const IP_Hdr* ip,
 	v->Assign(0, new Val(is_orig, TYPE_BOOL));
 	v->Assign(1, new Val(int(ip->DF()), TYPE_BOOL));
-	v->Assign(2, new Val(int(ip->TTL()), TYPE_INT));
+	v->Assign(2, new Val((ip->TTL()), TYPE_COUNT));
-	v->Assign(3, new Val((ip->TotalLen()), TYPE_INT));
+	v->Assign(3, new Val((ip->TotalLen()), TYPE_COUNT));
-	v->Assign(4, new Val(ntohs(tcp->th_win), TYPE_INT));
+	v->Assign(4, new Val(ntohs(tcp->th_win), TYPE_COUNT));
 	v->Assign(5, new Val(winscale, TYPE_INT));
-	v->Assign(6, new Val(MSS, TYPE_INT));
+	v->Assign(6, new Val(MSS, TYPE_COUNT));
 	v->Assign(7, new Val(SACK, TYPE_BOOL));
 	return v;
@ -761,6 +761,17 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 			// consider the ack as forming a partial
 			// connection.
 			;
 		else if ( flags.ACK() && peer->state == TCP_ENDPOINT_ESTABLISHED )
 			{
 			// No SYN packet from originator but SYN/ACK from
 			// responder, and now a pure ACK. Problably means we
 			// just missed that initial SYN. Let's not treat it
 			// as partial and instead establish the connection.
 			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
 			is_partial = 0;
 			}
 		else
 			{
 			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
@ -1165,7 +1176,7 @@ static void update_ack_seq(TCP_Endpoint* endpoint, uint32 ack_seq)
 // Returns the difference between last_seq and the last sequence
 // seen by the endpoint (may be negative).
 static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
-                             TCP_Flags flags)
+                             TCP_Flags flags, int len)
 	{
 	int32 delta_last = seq_delta(last_seq, endpoint->LastSeq());
@ -1194,9 +1205,8 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
 		// ## endpoint->last_seq = last_seq;
 		endpoint->UpdateLastSeq(last_seq);
-	else if ( delta_last <= 0 )
+	else if ( delta_last < 0 && len > 0 )
-		{ // ### ++retransmit, unless this is a pure ack
+		endpoint->CheckHistory(HIST_RXMIT, 'T');
 		}
 	return delta_last;
 	}
@ -1334,7 +1344,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		peer->AckReceived(rel_ack);
 		}
-	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags);
+	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len);
 	endpoint->last_time = current_timestamp;
 	int do_close;
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@ -187,6 +187,7 @@ public:
 #define HIST_ACK_PKT 0x20
 #define HIST_MULTI_FLAG_PKT 0x40
 #define HIST_CORRUPT_PKT 0x80
 #define HIST_RXMIT 0x100
 	int CheckHistory(uint32 mask, char code);
 	void AddHistory(char code);
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@ -67,6 +67,7 @@ public:
 	EnumVal* type;
 	ReaderFrontend* reader;
 	TableVal* config;
 	EventHandlerPtr error_event;
 	RecordVal* description;
@ -78,7 +79,7 @@ protected:
 Manager::Stream::Stream(StreamType t)
    : name(), removed(), stream_type(t), type(), reader(), config(),
-      description()
+      error_event(), description()
 	{
 	}
@ -103,7 +104,6 @@ public:
 	unsigned int num_idx_fields;
 	unsigned int num_val_fields;
 	bool want_record;
 	EventHandlerPtr table_event;
 	TableVal* tab;
 	RecordType* rtype;
@ -129,7 +129,7 @@ public:
 	bool want_record;
 	EventStream();
-        ~EventStream();
+	~EventStream();
 };
 class Manager::AnalysisStream: public Manager::Stream {
@ -432,6 +432,13 @@ bool Manager::CreateEventStream(RecordVal* fval)
 	else
 		assert(false);
 	Val* error_event_val = fval->Lookup("error_ev", true);
 	Func* error_event = error_event_val ? error_event_val->AsFunc() : nullptr;
 	Unref(error_event_val);
 	if ( ! CheckErrorEventTypes(stream_name, error_event, false) )
 		return false;
 	vector<Field*> fieldsV; // vector, because UnrollRecordType needs it
 	bool status = (! UnrollRecordType(&fieldsV, fields, "", allow_file_func));
@ -459,6 +466,7 @@ bool Manager::CreateEventStream(RecordVal* fval)
 	stream->num_fields = fieldsV.size();
 	stream->fields = fields->Ref()->AsRecordType();
 	stream->event = event_registry->Lookup(event->Name());
 	stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
 	stream->want_record = ( want_record->InternalInt() == 1 );
 	Unref(want_record); // ref'd by lookupwithdefault
@ -558,8 +566,6 @@ bool Manager::CreateTableStream(RecordVal* fval)
 			}
 		}
 	Val* event_val = fval->Lookup("ev", true);
 	Func* event = event_val ? event_val->AsFunc() : 0;
 	Unref(event_val);
@ -628,9 +634,15 @@ bool Manager::CreateTableStream(RecordVal* fval)
 			}
 		assert(want_record->InternalInt() == 1 || want_record->InternalInt() == 0);
 		}
 	Val* error_event_val = fval->Lookup("error_ev", true);
 	Func* error_event = error_event_val ? error_event_val->AsFunc() : nullptr;
 	Unref(error_event_val);
 	if ( ! CheckErrorEventTypes(stream_name, error_event, true) )
 		return false;
 	vector<Field*> fieldsV; // vector, because we don't know the length beforehands
 	bool status = (! UnrollRecordType(&fieldsV, idx, "", false));
@ -678,6 +690,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	stream->rtype = val ? val->AsRecordType() : 0;
 	stream->itype = idx->AsRecordType();
 	stream->event = event ? event_registry->Lookup(event->Name()) : 0;
 	stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
 	stream->currDict = new PDict(InputHash);
 	stream->currDict->SetDeleteFunc(input_hash_delete_func);
 	stream->lastDict = new PDict(InputHash);
@ -698,6 +711,54 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	return true;
 	}
 bool Manager::CheckErrorEventTypes(std::string stream_name, Func* ev, bool table)
 	{
 	if ( ev == nullptr )
 		return true;
 	FuncType* etype = ev->FType()->AsFuncType();
 	if ( etype->Flavor() != FUNC_FLAVOR_EVENT )
 		{
 		reporter->Error("Input stream %s: Error event is a function, not an event", stream_name.c_str());
 		return false;
 		}
 	const type_list* args = etype->ArgTypes()->Types();
 	if ( args->length() != 3 )
 		{
 		reporter->Error("Input stream %s: Error event must take 3 arguments", stream_name.c_str());
 		return false;
 		}
 	if ( table && ! same_type((*args)[0], BifType::Record::Input::TableDescription, 0) )
 		{
 		reporter->Error("Input stream %s: Error event's first attribute must be of type Input::TableDescription", stream_name.c_str());
 		return false;
 		}
 	if ( ! table && ! same_type((*args)[0], BifType::Record::Input::EventDescription, 0) )
 		{
 		reporter->Error("Input stream %s: Error event's first attribute must be of type Input::EventDescription", stream_name.c_str());
 		return false;
 		}
 	if ( (*args)[1]->Tag() != TYPE_STRING )
 		{
 		reporter->Error("Input stream %s: Error event's second attribute must be of type string", stream_name.c_str());
 		return false;
 		}
 	if ( ! same_type((*args)[2], BifType::Enum::Reporter::Level, 0) )
 		{
 		reporter->Error("Input stream %s: Error event's third attribute must be of type Reporter::Level", stream_name.c_str());
 		return false;
 		}
 	return true;
 	}
 bool Manager::CreateAnalysisStream(RecordVal* fval)
 	{
 	RecordType* rtype = fval->Type()->AsRecordType();
@ -1054,7 +1115,7 @@ int Manager::SendEntryTable(Stream* i, const Value* const *vals)
 	if ( idxhash == 0 )
 		{
-		reporter->Error("Could not hash line. Ignoring");
+		Warning(i, "Could not hash line. Ignoring");
 		return stream->num_val_fields + stream->num_idx_fields;
 		}
@ -1719,7 +1780,7 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
 			Val* retptr = stream->tab->Delete(idxval);
 			success = ( retptr != 0 );
 			if ( ! success )
-				reporter->Error("Internal error while deleting values from input table");
+				Warning(i, "Internal error while deleting values from input table");
 			else
 				Unref(retptr);
 			}
@ -1771,6 +1832,9 @@ bool Manager::CallPred(Func* pred_func, const int numvals, ...)
 	return result;
 	}
 // Raise everything in here as warnings so it is passed to scriptland without
 // looking "fatal". In addition to these warnings, ReaderBackend will queue
 // one reporter message.
 bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals)
 	{
 	Stream *i = FindStream(reader);
@ -1783,7 +1847,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	EventHandler* handler = event_registry->Lookup(name.c_str());
 	if ( handler == 0 )
 		{
-		reporter->Error("Event %s not found", name.c_str());
+		Warning(i, "Event %s not found", name.c_str());
 		delete_value_ptr_array(vals, num_vals);
 		return false;
 		}
@ -1797,7 +1861,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	int num_event_vals = type->NumFields();
 	if ( num_vals != num_event_vals )
 		{
-		reporter->Error("Wrong number of values for event %s", name.c_str());
+		Warning(i, "Wrong number of values for event %s", name.c_str());
 		delete_value_ptr_array(vals, num_vals);
 		return false;
 		}
@ -2315,7 +2379,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
 		if ( index == -1 )
 			{
-			reporter->Error("Value not '%s' for stream '%s' is not a valid enum.",
+			Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
 			                        enum_string.c_str(), i->name.c_str());
 			have_error = true;
@ -2367,3 +2431,132 @@ void Manager::Terminate()
 		}
 	}
 void Manager::Info(ReaderFrontend* reader, const char* msg)
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
 		{
 		reporter->Error("Stream not found in Info; lost message: %s", msg);
 		return;
 		}
 	ErrorHandler(i, ErrorType::INFO, false, "%s", msg);
 	}
 void Manager::Warning(ReaderFrontend* reader, const char* msg)
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
 		{
 		reporter->Error("Stream not found in Warning; lost message: %s", msg);
 		return;
 		}
 	ErrorHandler(i, ErrorType::WARNING, false, "%s", msg);
 	}
 void Manager::Error(ReaderFrontend* reader, const char* msg)
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
 		{
 		reporter->Error("Stream not found in Error; lost message: %s", msg);
 		return;
 		}
 	ErrorHandler(i, ErrorType::ERROR, false, "%s", msg);
 	}
 void Manager::Info(const Stream* i, const char* fmt, ...)
 	{
 	va_list ap;
 	va_start(ap, fmt);
 	ErrorHandler(i, ErrorType::INFO, true, fmt, ap);
 	va_end(ap);
 	}
 void Manager::Warning(const Stream* i, const char* fmt, ...)
 	{
 	va_list ap;
 	va_start(ap, fmt);
 	ErrorHandler(i, ErrorType::WARNING, true, fmt, ap);
 	va_end(ap);
 	}
 void Manager::Error(const Stream* i, const char* fmt, ...)
 	{
 	va_list ap;
 	va_start(ap, fmt);
 	ErrorHandler(i, ErrorType::ERROR, true, fmt, ap);
 	va_end(ap);
 	}
 void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...)
 	{
 	va_list ap;
 	va_start(ap, fmt);
 	ErrorHandler(i, et, reporter_send, fmt, ap);
 	va_end(ap);
 	}
 void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap)
 	{
 	char* buf;
 	int n = vasprintf(&buf, fmt, ap);
 	if ( n < 0 || buf == nullptr )
 		{
 		reporter->InternalError("Could not format error message %s for stream %s", fmt, i->name.c_str());
 		return;
 		}
 	// send our script level error event
 	if ( i->error_event )
 		{
 		EnumVal* ev;
 		switch (et)
 			{
 			case ErrorType::INFO:
 				ev = new EnumVal(BifEnum::Reporter::INFO, BifType::Enum::Reporter::Level);
 				break;
 			case ErrorType::WARNING:
 				ev = new EnumVal(BifEnum::Reporter::WARNING, BifType::Enum::Reporter::Level);
 				break;
 			case ErrorType::ERROR:
 				ev = new EnumVal(BifEnum::Reporter::ERROR, BifType::Enum::Reporter::Level);
 				break;
 			default:
 				reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
 			}
 		StringVal* message = new StringVal(buf);
 		SendEvent(i->error_event, 3, i->description->Ref(), message, ev);
 		}
 	if ( reporter_send )
 		{
 		switch (et)
 			{
 			case ErrorType::INFO:
 				reporter->Info("%s", buf);
 				break;
 			case ErrorType::WARNING:
 				reporter->Warning("%s", buf);
 				break;
 			case ErrorType::ERROR:
 				reporter->Error("%s", buf);
 				break;
 			default:
 				reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
 			}
 		}
 	free(buf);
 	}
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@ -109,6 +109,7 @@ protected:
 	friend class ReaderClosedMessage;
 	friend class DisableMessage;
 	friend class EndOfDataMessage;
 	friend class ReaderErrorMessage;
 	// For readers to write to input stream in direct mode (reporting
 	// new/deleted values directly). Functions take ownership of
@ -143,6 +144,13 @@ protected:
 	// stream is still received.
 	bool RemoveStreamContinuation(ReaderFrontend* reader);
 	// Signal Informational messages, warnings and errors. These will be
 	// passed to the error function in scriptland. Note that the messages
 	// are not passed to reporter - this is done in ReaderBackend.
 	void Info(ReaderFrontend* reader, const char* msg);
 	void Warning(ReaderFrontend* reader, const char* msg);
 	void Error(ReaderFrontend* reader, const char* msg);
 	/**
 	 * Deletes an existing input stream.
 	 *
@ -165,6 +173,11 @@ private:
 	bool CreateStream(Stream*, RecordVal* description);
 	// Check if the types of the error_ev event are correct. If table is
 	// true, check for tablestream type, otherwhise check for eventstream
 	// type.
 	bool CheckErrorEventTypes(std::string stream_name, Func* error_event, bool table);
 	// SendEntry implementation for Table stream.
 	int SendEntryTable(Stream* i, const threading::Value* const *vals);
@ -219,6 +232,16 @@ private:
 	// Converts a Bro ListVal to a RecordVal given the record type.
 	RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position);
 	// Internally signal errors, warnings, etc.
 	// These are sent on to input scriptland and reporter.log
 	void Info(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 	void Warning(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 	void Error(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 	enum class ErrorType { INFO, WARNING, ERROR };
 	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
 	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap);
 	Stream* FindStream(const string &name);
 	Stream* FindStream(ReaderFrontend* reader);
--- a/src/input/ReaderBackend.cc
+++ b/src/input/ReaderBackend.cc
@ -78,6 +78,26 @@ private:
 	Value* *val;
 };
 class ReaderErrorMessage : public threading::OutputMessage<ReaderFrontend>
 {
 public:
 	enum Type {
 		INFO, WARNING, ERROR
 	};
 	ReaderErrorMessage(ReaderFrontend* reader, Type arg_type, const char* arg_msg)
 		: threading::OutputMessage<ReaderFrontend>("ReaderErrorMessage", reader)
 		{ type = arg_type; msg = copy_string(arg_msg); }
 	virtual ~ReaderErrorMessage() 	 { delete [] msg; }
 	virtual bool Process();
 private:
 	const char* msg;
 	Type type;
 };
 class SendEntryMessage : public threading::OutputMessage<ReaderFrontend> {
 public:
 	SendEntryMessage(ReaderFrontend* reader, Value* *val)
@ -136,7 +156,6 @@ public:
 private:
 };
 class DisableMessage : public threading::OutputMessage<ReaderFrontend>
 {
 public:
@ -156,6 +175,27 @@ public:
 		}
 };
 bool ReaderErrorMessage::Process()
 	{
 	switch ( type ) {
 	case INFO:
 		input_mgr->Info(Object(), msg);
 		break;
 	case WARNING:
 		input_mgr->Warning(Object(), msg);
 		break;
 	case ERROR:
 		input_mgr->Error(Object(), msg);
 		break;
 	}
 	return true;
 	}
 using namespace input;
 ReaderBackend::ReaderBackend(ReaderFrontend* arg_frontend) : MsgThread()
@ -266,11 +306,16 @@ bool ReaderBackend::Update()
 	if ( ! success )
 		DisableFrontend();
-	return success;
+	return ! disabled; // always return failure if we have been disabled in the meantime
 	}
 void ReaderBackend::DisableFrontend()
 	{
 	// We might already have been disabled - e.g., due to a call to
 	// error. In that case, ignore this...
 	if ( disabled )
 		return;
 	// We also set disabled here, because there still may be other
 	// messages queued and we will dutifully ignore these from now.
 	disabled = true;
@ -285,4 +330,25 @@ bool ReaderBackend::OnHeartbeat(double network_time, double current_time)
 	return DoHeartbeat(network_time, current_time);
 	}
 void ReaderBackend::Info(const char* msg)
 	{
 	SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::INFO, msg));
 	MsgThread::Info(msg);
 	}
 void ReaderBackend::Warning(const char* msg)
 	{
 	SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::WARNING, msg));
 	MsgThread::Warning(msg);
 	}
 void ReaderBackend::Error(const char* msg)
 	{
 	SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::ERROR, msg));
 	MsgThread::Error(msg);
 	// Force errors to be fatal.
 	DisableFrontend();
 	}
 }
--- a/src/input/ReaderBackend.h
+++ b/src/input/ReaderBackend.h
@ -63,7 +63,7 @@ public:
 	 * an argument to callbacks. One must not otherwise access the
 	 * frontend, it's running in a different thread.
 	 */
-	ReaderBackend(ReaderFrontend* frontend);
+	explicit ReaderBackend(ReaderFrontend* frontend);
 	/**
 	 * Destructor.
@ -186,8 +186,22 @@ public:
 	int NumFields() const	{ return num_fields; }
 	// Overridden from MsgThread.
-	virtual bool OnHeartbeat(double network_time, double current_time);
+	bool OnHeartbeat(double network_time, double current_time) override;
-	virtual bool OnFinish(double network_time);
+	bool OnFinish(double network_time) override;
 	void Info(const char* msg) override;
 	void Warning(const char* msg) override;
 	/**
 	 * Reports an error in the child thread. For input readers, it is assumed
 	 * that Info and Warnings do not cause the read operation to fail (they might
 	 * signal that, e.g., a single line was ignored).
 	 *
 	 * It is assumed that Errors are not recoverable. Calling the Error function
 	 * will return the error back to scriptland and also *automatically* causes
 	 * the current reader to be disabled and torn down.
 	 */
 	void Error(const char* msg) override;
 protected:
 	// Methods that have to be overwritten by the individual readers
@ -325,7 +339,6 @@ protected:
 	 */
 	void EndCurrentSend();
 private:
 	// Frontend that instantiated us. This object must not be accessed
 	// from this class, it's running in a different thread!
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@ -341,7 +341,7 @@ bool Ascii::DoUpdate()
 			if ( val == 0 )
 				{
-				Error(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str()));
+				Warning(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str()));
 				error = true;
 				break;
 				}
--- a/src/input/readers/sqlite/SQLite.cc
+++ b/src/input/readers/sqlite/SQLite.cc
@ -75,6 +75,10 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 		return false;
 		}
 	// Allow connections to same DB to use single data/schema cache. Also
 	// allows simultaneous writes to one file.
 	sqlite3_enable_shared_cache(1);
 	if ( Info().mode != MODE_MANUAL )
 		{
 		Error("SQLite only supports manual reading mode.");
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@ -38,7 +38,7 @@ public:
 	 * @param name A descriptive name for writer's type (e.g., \c Ascii).
 	 *
 	 */
-	WriterBackend(WriterFrontend* frontend);
+	explicit WriterBackend(WriterFrontend* frontend);
 	/**
 	 * Destructor.
@ -248,8 +248,12 @@ public:
 	bool FinishedRotation();
 	// Overridden from MsgThread.
-	virtual bool OnHeartbeat(double network_time, double current_time);
+	bool OnHeartbeat(double network_time, double current_time) override;
-	virtual bool OnFinish(double network_time);
+	bool OnFinish(double network_time) override;
 	// Let the compiler know that we are aware that there is a virtual
 	// info function in the base.
 	using MsgThread::Info;
 protected:
 	friend class FinishMessage;
--- a/src/logging/writers/sqlite/SQLite.cc
+++ b/src/logging/writers/sqlite/SQLite.cc
@ -120,6 +120,10 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields,
 		return false;
 		}
 	// Allow connections to same DB to use single data/schema cache. Also
 	// allows simultaneous writes to one file.
 	sqlite3_enable_shared_cache(1);
 	num_fields = arg_num_fields;
 	fields = arg_fields;
@ -232,21 +236,6 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields,
 	return true;
 	}
 // Format String
 char* SQLite::FS(const char* format, ...)
 	{
 	char* buf;
 	va_list al;
 	va_start(al, format);
 	int n = vasprintf(&buf, format, al);
 	va_end(al);
 	assert(n >= 0);
 	return buf;
 	}
 int SQLite::AddParams(Value* val, int pos)
 	{
 	if ( ! val->present )
--- a/src/logging/writers/sqlite/SQLite.h
+++ b/src/logging/writers/sqlite/SQLite.h
@ -38,7 +38,6 @@ private:
 	int AddParams(threading::Value* val, int pos);
 	string GetTableType(int, int);
 	char* FS(const char* format, ...);
 	const threading::Field* const * fields; // raw mapping
 	unsigned int num_fields;
--- a/src/main.cc
+++ b/src/main.cc
@ -190,8 +190,6 @@ void usage()
 	fprintf(stderr, "    -G|--load-seeds <file>         | load seeds from given file\n");
 	fprintf(stderr, "    -H|--save-seeds <file>         | save seeds to given file\n");
 	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
 	fprintf(stderr, "    -J|--set-seed <seed>           | set the random number seed\n");
 	fprintf(stderr, "    -K|--md5-hashkey <hashkey>     | set key for MD5-keyed hashing\n");
 	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN for verbose)\n");
 	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
 	fprintf(stderr, "    -Q|--time                      | print execution time summary to stderr\n");
@ -459,7 +457,6 @@ int main(int argc, char** argv)
 	char* debug_streams = 0;
 	int parse_only = false;
 	int bare_mode = false;
 	int seed = 0;
 	int dump_cfg = false;
 	int to_xml = 0;
 	int do_watchdog = 0;
@ -491,8 +488,6 @@ int main(int argc, char** argv)
 		{"force-dns",		no_argument,		0,	'F'},
 		{"load-seeds",		required_argument,	0,	'G'},
 		{"save-seeds",		required_argument,	0,	'H'},
 		{"set-seed",		required_argument,	0,	'J'},
 		{"md5-hashkey",		required_argument,	0,	'K'},
 		{"print-plugins",	no_argument,		0,	'N'},
 		{"prime-dns",		no_argument,		0,	'P'},
 		{"time",		no_argument,		0,	'Q'},
@ -546,7 +541,7 @@ int main(int argc, char** argv)
 	opterr = 0;
 	char opts[256];
-	safe_strncpy(opts, "B:e:f:G:H:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFNPQSWabdghv",
+	safe_strncpy(opts, "B:e:f:G:H:I:i:n:p:R:r:s:T:t:U:w:x:X:z:CFNPQSWabdghv",
 		     sizeof(opts));
 #ifdef USE_PERFTOOLS_DEBUG
@ -661,15 +656,6 @@ int main(int argc, char** argv)
 			id_name = optarg;
 			break;
 		case 'J':
 			seed = atoi(optarg);
 			break;
 		case 'K':
 			MD5((const u_char*) optarg, strlen(optarg), shared_hmac_md5_key);
 			hmac_key_set = 1;
 			break;
 		case 'N':
 			++print_plugins;
 			break;
@ -760,7 +746,7 @@ int main(int argc, char** argv)
 		}
 #endif
-	init_random_seed(seed, (seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
+	init_random_seed((seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
--- a/src/probabilistic/CardinalityCounter.cc
+++ b/src/probabilistic/CardinalityCounter.cc
@ -28,10 +28,9 @@ int CardinalityCounter::OptimalB(double error, double confidence) const
 	return answer;
 	}
-void CardinalityCounter::Init(uint64 size)
+void CardinalityCounter::Init(uint64_t size)
 	{
 	m = size;
 	buckets = new uint8_t[m];
 	// The following magic values are taken directly out of the
 	// description of the HyperLogLog algorithn.
@ -51,60 +50,83 @@ void CardinalityCounter::Init(uint64 size)
 	else
 		reporter->InternalError("Invalid size %" PRIu64 ". Size either has to be 16, 32, 64 or bigger than 128", size);
-	for ( uint64 i = 0; i < m; i++ )
+	double calc_p = log2(m);
-		buckets[i] = 0;
+	if ( trunc(calc_p) != calc_p )
 		reporter->InternalError("Invalid size %" PRIu64 ". Size either has to be a power of 2", size);
 	p = calc_p;
 	buckets.reserve(m);
 	for ( uint64_t i = 0; i < m; i++ )
 		buckets.push_back(0);
 	assert(buckets.size() == m);
 	V = m;
 	}
 CardinalityCounter::CardinalityCounter(CardinalityCounter& other)
 	: buckets(other.buckets)
 	{
-	Init(other.GetM());
+	V = other.V;
-	Merge(&other);
+	alpha_m = other.alpha_m;
 	m = other.m;
 	p = other.p;
 	}
 CardinalityCounter::CardinalityCounter(CardinalityCounter&& o)
 	{
 	V = o.V;
 	alpha_m = o.alpha_m;
 	m = o.m;
 	p = o.p;
 	o.m = 0;
 	buckets = std::move(o.buckets);
 	}
 CardinalityCounter::CardinalityCounter(double error_margin, double confidence)
 	{
 	int b = OptimalB(error_margin, confidence);
 	Init((uint64) pow(2, b));
 	assert(b == p);
 	}
-CardinalityCounter::CardinalityCounter(uint64 size)
+CardinalityCounter::CardinalityCounter(uint64_t size)
 	{
 	Init(size);
 	}
-CardinalityCounter::CardinalityCounter(uint64 arg_size, uint64 arg_V, double arg_alpha_m)
+CardinalityCounter::CardinalityCounter(uint64_t arg_size, uint64_t arg_V, double arg_alpha_m)
 	{
 	m = arg_size;
-	buckets = new uint8_t[m];
+
 	buckets.reserve(m);
 	for ( uint64_t i = 0; i < m; i++ )
 		buckets.push_back(0);
 	alpha_m = arg_alpha_m;
 	V = arg_V;
 	p = log2(m);
 	}
 CardinalityCounter::~CardinalityCounter()
 	{
 	delete [] buckets;
 	}
-uint8_t CardinalityCounter::Rank(uint64 hash_modified) const
+uint8_t CardinalityCounter::Rank(uint64_t hash_modified) const
 	{
-	uint8_t answer = 0;
+	hash_modified = hash_modified >> p;
-
+	int answer = 64 - p - CardinalityCounter::flsll(hash_modified) + 1;
-	hash_modified = (uint64)(hash_modified / m);
+	assert(answer > 0 && answer < 64);
 	hash_modified *= 2;
 	do {
 		hash_modified = (uint64)(hash_modified / 2);
 		answer++;
 	} while ( hash_modified % 2 == 0);
 	return answer;
 	}
-void CardinalityCounter::AddElement(uint64 hash)
+void CardinalityCounter::AddElement(uint64_t hash)
 	{
-	uint64 index = hash % m;
+	uint64_t index = hash % m;
 	hash = hash-index;
 	if( buckets[index] == 0 )
@ -149,7 +171,7 @@ bool CardinalityCounter::Merge(CardinalityCounter* c)
 	if ( m != c->GetM() )
 		return false;
-	uint8_t* temp = c->GetBuckets();
+	const vector<uint8_t> temp = c->GetBuckets();
 	V = 0;
@ -165,12 +187,12 @@ bool CardinalityCounter::Merge(CardinalityCounter* c)
 	return true;
 	}
-uint8_t* CardinalityCounter::GetBuckets()
+const vector<uint8_t> &CardinalityCounter::GetBuckets() const
 	{
 	return buckets;
 	}
-uint64 CardinalityCounter::GetM() const
+uint64_t CardinalityCounter::GetM() const
 	{
 	return m;
 	}
@ -192,7 +214,7 @@ bool CardinalityCounter::Serialize(SerialInfo* info) const
 CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
 	{
 	uint64_t m;
-	uint64 V;
+	uint64_t V;
 	double alpha_m;
 	bool valid = true;
@ -202,13 +224,13 @@ CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
 	CardinalityCounter* c = new CardinalityCounter(m, V, alpha_m);
-	uint8_t* buckets = c->buckets;
+	vector<uint8_t>& buckets = c->buckets;
 	for ( unsigned int i = 0; i < m; i++ )
 		{
 		char c;
 		valid &= UNSERIALIZE(&c);
-		buckets[i] = (uint8)c;
+		buckets[i] = (uint8_t)c;
 		}
 	if ( ! valid )
@ -219,3 +241,51 @@ CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
 	return c;
 	}
 /**
 * The following function is copied from libc/string/flsll.c from the FreeBSD source
 * tree. Original copyright message follows
 */
 /*-
 * Copyright (c) 1990, 1993
 *      The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 /*
 * Find Last Set bit
 */
 int
 CardinalityCounter::flsll(uint64_t mask)
 {
        int bit;
        if (mask == 0)
                return (0);
        for (bit = 1; mask != 1; bit++)
                mask = (uint64_t)mask >> 1;
        return (bit);
 }
--- a/src/probabilistic/CardinalityCounter.h
+++ b/src/probabilistic/CardinalityCounter.h
@ -28,13 +28,18 @@ public:
 	 *
 	 * @param confidence confidence of the error. Default: 0.95
 	 */
-	CardinalityCounter(double error_margin, double confidence = 0.95);
+	explicit CardinalityCounter(double error_margin, double confidence = 0.95);
 	/**
 	 * Copy-Constructor
 	 */
 	CardinalityCounter(CardinalityCounter& other);
 	/**
 	 * Move-Constructor
 	 */
 	CardinalityCounter(CardinalityCounter&& o);
 	/**
 	 * Constructor for a known number of buckets.
 	 *
@ -43,7 +48,7 @@ public:
 	 *
 	 * @param size number of buckets to create
 	 */
-	CardinalityCounter(uint64 size);
+	explicit CardinalityCounter(uint64_t size);
 	/**
 	 * Destructor.
@ -58,7 +63,7 @@ public:
 	 *
 	 * @param hash 64-bit hash value of the element to be added
 	 */
-	void AddElement(uint64 hash);
+	void AddElement(uint64_t hash);
 	/**
 	 * Get the current estimated number of elements in the data
@ -104,7 +109,7 @@ protected:
 	 *
 	 * @return Number of buckets
 	 */
-	uint64 GetM() const;
+	uint64_t GetM() const;
 	/**
 	 * Returns the buckets array that holds all of the rough cardinality
@ -114,21 +119,21 @@ protected:
 	 *
 	 * @return Array containing cardinality estimates
 	 */
-	uint8_t* GetBuckets();
+	const std::vector<uint8_t>& GetBuckets() const;
 private:
 	/**
 	 * Constructor used when unserializing, i.e., all parameters are
 	 * known.
 	 */
-	CardinalityCounter(uint64 size, uint64 V, double alpha_m);
+	explicit CardinalityCounter(uint64_t size, uint64_t V, double alpha_m);
 	/**
 	 * Helper function with code used jointly by multiple constructors.
 	 *
 	 * @param arg_size: number of buckets that need to be kept
 	 */
-	void Init(uint64 arg_size);
+	void Init(uint64_t arg_size);
 	/**
 	 * This function calculates the smallest value of b that will
@ -150,22 +155,28 @@ private:
 	int OptimalB(double error, double confidence) const;
 	/**
-	 * Determines at which index (counted from the back) the first one-bit
+	 * Determines at which index (counted from the front) the first one-bit
 	 * appears. The last b bits have to be 0 (the element has to be divisible
-	 * by m), hence they are ignored.
+	 * by m), hence they are ignored. Always adds 1 to the result. This is the
 	 * rho function from the original algorithm.
 	 *
 	 * @param hash_modified hash value
 	 *
 	 * @returns index of first one-bit
 	 */
-	uint8_t Rank(uint64 hash_modified) const;
+	uint8_t Rank(uint64_t hash_modified) const;
 	/**
 	 * flsll from FreeBSD; especially Linux does not have this.
 	 */
 	static int flsll(uint64_t mask);
 	/**
 	 * This is the number of buckets that will be stored. The standard
 	 * error is 1.04/sqrt(m), so the actual cardinality will be the
 	 * estimate +/- 1.04/sqrt(m) with approximately 68% probability.
 	 */
-	uint64 m;
+	uint64_t m;
 	/**
 	 * These are the actual buckets that are storing an estimate of the
@ -173,7 +184,7 @@ private:
 	 * appears in the bitstring and that location is at most 65, so not
 	 * that many bits are needed to store it.
 	 */
-	uint8_t* buckets;
+	std::vector<uint8_t> buckets;
 	/**
 	 * There are some state constants that need to be kept track of to
@ -181,8 +192,9 @@ private:
 	 * buckets that are 0 and this is used in the small error correction.
 	 * alpha_m is a multiplicative constant used in the algorithm.
 	 */
-	uint64 V;
+	uint64_t V;
 	double alpha_m;
 	int p; // the log2 of m
 };
 }
--- a/src/probabilistic/Hasher.cc
+++ b/src/probabilistic/Hasher.cc
@ -5,18 +5,21 @@
 #include "Hasher.h"
 #include "NetVar.h"
 #include "digest.h"
 #include "Serializer.h"
 #include "digest.h"
 #include "siphash24.h"
 using namespace probabilistic;
-uint64 Hasher::MakeSeed(const void* data, size_t size)
+Hasher::seed_t Hasher::MakeSeed(const void* data, size_t size)
 	{
 	u_char buf[SHA256_DIGEST_LENGTH];
-	uint64 tmpseed;
+	seed_t tmpseed;
 	SHA256_CTX ctx;
 	sha256_init(&ctx);
 	assert(sizeof(tmpseed) == 16);
 	if ( data )
 		sha256_update(&ctx, data, size);
@ -56,7 +59,10 @@ bool Hasher::DoSerialize(SerialInfo* info) const
 	if ( ! SERIALIZE(static_cast<uint16>(k)) )
 		return false;
-	return SERIALIZE(static_cast<uint64>(seed));
+	if ( ! SERIALIZE(static_cast<uint64>(seed.h1)) )
 		return false;
 	return SERIALIZE(static_cast<uint64>(seed.h2));
 	}
 bool Hasher::DoUnserialize(UnserialInfo* info)
@ -70,8 +76,11 @@ bool Hasher::DoUnserialize(UnserialInfo* info)
 	k = serial_k;
 	assert(k > 0);
-	uint64 serial_seed;
+	seed_t serial_seed;
-	if ( ! UNSERIALIZE(&serial_seed) )
+	if ( ! UNSERIALIZE(&serial_seed.h1) )
 		return false;
 	if ( ! UNSERIALIZE(&serial_seed.h2) )
 		return false;
 	seed = serial_seed;
@ -79,14 +88,18 @@ bool Hasher::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
-Hasher::Hasher(size_t arg_k, size_t arg_seed)
+Hasher::Hasher(size_t arg_k, seed_t arg_seed)
 	{
 	k = arg_k;
 	seed = arg_seed;
 	}
-UHF::UHF(size_t arg_seed)
+UHF::UHF()
-	: h(arg_seed)
+	{
 	memset(&seed, 0, sizeof(seed));
 	}
 UHF::UHF(Hasher::seed_t arg_seed)
 	{
 	seed = arg_seed;
 	}
@ -96,8 +109,14 @@ UHF::UHF(size_t arg_seed)
 // times.
 Hasher::digest UHF::hash(const void* x, size_t n) const
 	{
 	assert(sizeof(Hasher::seed_t) == SIPHASH_KEYLEN);
 	if ( n <= UHASH_KEY_SIZE )
-		return n == 0 ? 0 : h(x, n);
+		{
 		hash_t outdigest;
 		siphash(&outdigest, reinterpret_cast<const uint8_t*>(x), n, reinterpret_cast<const uint8_t*>(&seed));
 		return outdigest;
 		}
 	unsigned char d[16];
 	MD5(reinterpret_cast<const unsigned char*>(x), n, d);
@ -111,11 +130,15 @@ Hasher::digest UHF::hash(const void* x, size_t n) const
 	return *reinterpret_cast<const Hasher::digest*>(d);
 	}
-DefaultHasher::DefaultHasher(size_t k, size_t seed)
+DefaultHasher::DefaultHasher(size_t k, Hasher::seed_t seed)
 	: Hasher(k, seed)
 	{
 	for ( size_t i = 1; i <= k; ++i )
-		hash_functions.push_back(UHF(Seed() + bro_prng(i)));
+		{
 		seed_t s = Seed();
 		s.h1 += bro_prng(i);
 		hash_functions.push_back(UHF(s));
 		}
 	}
 Hasher::digest_vector DefaultHasher::Hash(const void* x, size_t n) const
@ -158,12 +181,16 @@ bool DefaultHasher::DoUnserialize(UnserialInfo* info)
 	hash_functions.clear();
 	for ( size_t i = 0; i < K(); ++i )
-		hash_functions.push_back(UHF(Seed() + bro_prng(i)));
+		{
 		Hasher::seed_t s = Seed();
 		s.h1 += bro_prng(i);
 		hash_functions.push_back(UHF(s));
 		}
 	return true;
 	}
-DoubleHasher::DoubleHasher(size_t k, size_t seed)
+DoubleHasher::DoubleHasher(size_t k, seed_t seed)
 	: Hasher(k, seed), h1(seed + bro_prng(1)), h2(seed + bro_prng(2))
 	{
 	}
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@ -4,7 +4,6 @@
 #define PROBABILISTIC_HASHER_H
 #include "Hash.h"
 #include "H3.h"
 #include "SerialObj.h"
 namespace probabilistic {
@ -17,6 +16,15 @@ class Hasher : public SerialObj {
 public:
 	typedef hash_t digest;
 	typedef std::vector<digest> digest_vector;
 	struct seed_t {
 		uint64_t h1;
 		uint64_t h2;
 		friend seed_t operator+(seed_t lhs, const uint64_t rhs) {
 			lhs.h1 += rhs;
 			return lhs;
 		}
 	};
 	/**
 	 * Creates a valid hasher seed from an arbitrary string.
@ -30,7 +38,7 @@ public:
 	 *
 	 * @return A seed suitable for hashers.
 	 */
-	static uint64 MakeSeed(const void* data, size_t size);
+	static seed_t MakeSeed(const void* data, size_t size);
 	/**
 	 * Destructor.
@ -89,7 +97,7 @@ public:
 	/**
 	 * Returns the seed used to construct the hasher.
 	 */
-	size_t Seed() const	{ return seed; }
+	seed_t Seed() const	{ return seed; }
 	bool Serialize(SerialInfo* info) const;
 	static Hasher* Unserialize(UnserialInfo* info);
@ -106,11 +114,11 @@ protected:
 	 *
 	 * @param arg_seed The seed for the hasher.
 	 */
-	Hasher(size_t arg_k, size_t arg_seed);
+	Hasher(size_t arg_k, seed_t arg_seed);
 private:
 	size_t k;
-	size_t seed;
+	seed_t seed;
 };
 /**
@ -120,12 +128,17 @@ private:
 class UHF {
 public:
 	/**
-	 * Constructs an H3 hash function seeded with a given seed and an
+	 * Default constructor with zero seed.
 	 */
 	UHF();
 	/**
 	 * Constructs an hash function seeded with a given seed and an
 	 * optional extra seed to replace the initial Bro seed.
 	 *
 	 * @param arg_seed The seed to use for this instance.
 	 */
-	UHF(size_t arg_seed = 0);
+	UHF(Hasher::seed_t arg_seed);
 	template <typename T>
 	Hasher::digest operator()(const T& x) const
@ -159,7 +172,8 @@ public:
 	friend bool operator==(const UHF& x, const UHF& y)
 		{
-		return x.h == y.h;
+		return (x.seed.h1 == y.seed.h1) &&
 		       (x.seed.h2 == y.seed.h2);
 		}
 	friend bool operator!=(const UHF& x, const UHF& y)
@ -168,10 +182,9 @@ public:
 		}
 private:
-	static size_t compute_seed(size_t seed);
+	static size_t compute_seed(Hasher::seed_t seed);
-	H3<Hasher::digest, UHASH_KEY_SIZE> h;
+	Hasher::seed_t seed;
 	size_t seed;
 };
@ -188,7 +201,7 @@ public:
 	 *
 	 * @param seed The seed for the hasher.
 	 */
-	DefaultHasher(size_t k, size_t seed);
+	DefaultHasher(size_t k, Hasher::seed_t seed);
 	// Overridden from Hasher.
 	virtual digest_vector Hash(const void* x, size_t n) const final;
@ -216,7 +229,7 @@ public:
 	 *
 	 * @param seed The seed for the hasher.
 	 */
-	DoubleHasher(size_t k, size_t seed);
+	DoubleHasher(size_t k, Hasher::seed_t seed);
 	// Overridden from Hasher.
 	virtual digest_vector Hash(const void* x, size_t n) const final;
--- a/src/probabilistic/bloom-filter.bif
+++ b/src/probabilistic/bloom-filter.bif
@ -42,7 +42,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
 	size_t cells = BasicBloomFilter::M(fp, capacity);
 	size_t optimal_k = BasicBloomFilter::K(cells, capacity);
-	size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
+	Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
                                 name->Len());
 	const Hasher* h = new DoubleHasher(optimal_k, seed);
@ -82,7 +82,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
 		return 0;
 		}
-	size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
+	Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
 				       name->Len());
 	const Hasher* h = new DoubleHasher(k, seed);
@ -121,7 +121,7 @@ function bloomfilter_counting_init%(k: count, cells: count, max: count,
 		return 0;
 		}
-	size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
+	Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
 				       name->Len());
 	const Hasher* h = new DefaultHasher(k, seed);
--- a/src/siphash24.c
+++ b/src/siphash24.c
@ -0,0 +1,166 @@
 /*
   SipHash reference C implementation
   Copyright (c) 2012-2014 Jean-Philippe Aumasson
   <jeanphilippe.aumasson@gmail.com>
   Copyright (c) 2012-2014 Daniel J. Bernstein <djb@cr.yp.to>
   To the extent possible under law, the author(s) have dedicated all copyright
   and related and neighboring rights to this software to the public domain
   worldwide. This software is distributed without any warranty.
   You should have received a copy of the CC0 Public Domain Dedication along
   with
   this software. If not, see
   <http://creativecommons.org/publicdomain/zero/1.0/>.
 */
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
 /* default: SipHash-2-4 */
 #define cROUNDS 2
 #define dROUNDS 4
 #define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))
 #define U32TO8_LE(p, v)                                                        \
  (p)[0] = (uint8_t)((v));                                                     \
  (p)[1] = (uint8_t)((v) >> 8);                                                \
  (p)[2] = (uint8_t)((v) >> 16);                                               \
  (p)[3] = (uint8_t)((v) >> 24);
 #define U64TO8_LE(p, v)                                                        \
  U32TO8_LE((p), (uint32_t)((v)));                                             \
  U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
 #define U8TO64_LE(p)                                                           \
  (((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) |                          \
   ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) |                   \
   ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) |                   \
   ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))
 #define SIPROUND                                                               \
  do {                                                                         \
    v0 += v1;                                                                  \
    v1 = ROTL(v1, 13);                                                         \
    v1 ^= v0;                                                                  \
    v0 = ROTL(v0, 32);                                                         \
    v2 += v3;                                                                  \
    v3 = ROTL(v3, 16);                                                         \
    v3 ^= v2;                                                                  \
    v0 += v3;                                                                  \
    v3 = ROTL(v3, 21);                                                         \
    v3 ^= v0;                                                                  \
    v2 += v1;                                                                  \
    v1 = ROTL(v1, 17);                                                         \
    v1 ^= v2;                                                                  \
    v2 = ROTL(v2, 32);                                                         \
  } while (0)
 #ifdef SIPHASHDEBUG
 #define TRACE                                                                  \
  do {                                                                         \
    printf("(%3d) v0 %08x %08x\n", (int)inlen, (uint32_t)(v0 >> 32),           \
           (uint32_t)v0);                                                      \
    printf("(%3d) v1 %08x %08x\n", (int)inlen, (uint32_t)(v1 >> 32),           \
           (uint32_t)v1);                                                      \
    printf("(%3d) v2 %08x %08x\n", (int)inlen, (uint32_t)(v2 >> 32),           \
           (uint32_t)v2);                                                      \
    printf("(%3d) v3 %08x %08x\n", (int)inlen, (uint32_t)(v3 >> 32),           \
           (uint32_t)v3);                                                      \
  } while (0)
 #else
 #define TRACE
 #endif
 // [Bro] We turn this into an internal function. siphash.h defines a wrapper.
 int _siphash(uint8_t *out, const uint8_t *in, uint64_t inlen, const uint8_t *k) {
  /* "somepseudorandomlygeneratedbytes" */
  uint64_t v0 = 0x736f6d6570736575ULL;
  uint64_t v1 = 0x646f72616e646f6dULL;
  uint64_t v2 = 0x6c7967656e657261ULL;
  uint64_t v3 = 0x7465646279746573ULL;
  uint64_t b;
  uint64_t k0 = U8TO64_LE(k);
  uint64_t k1 = U8TO64_LE(k + 8);
  uint64_t m;
  int i;
  const uint8_t *end = in + inlen - (inlen % sizeof(uint64_t));
  const int left = inlen & 7;
  b = ((uint64_t)inlen) << 56;
  v3 ^= k1;
  v2 ^= k0;
  v1 ^= k1;
  v0 ^= k0;
 #ifdef DOUBLE
  v1 ^= 0xee;
 #endif
  for (; in != end; in += 8) {
    m = U8TO64_LE(in);
    v3 ^= m;
    TRACE;
    for (i = 0; i < cROUNDS; ++i)
      SIPROUND;
    v0 ^= m;
  }
  switch (left) {
  case 7:
    b |= ((uint64_t)in[6]) << 48;
  case 6:
    b |= ((uint64_t)in[5]) << 40;
  case 5:
    b |= ((uint64_t)in[4]) << 32;
  case 4:
    b |= ((uint64_t)in[3]) << 24;
  case 3:
    b |= ((uint64_t)in[2]) << 16;
  case 2:
    b |= ((uint64_t)in[1]) << 8;
  case 1:
    b |= ((uint64_t)in[0]);
    break;
  case 0:
    break;
  }
  v3 ^= b;
  TRACE;
  for (i = 0; i < cROUNDS; ++i)
    SIPROUND;
  v0 ^= b;
 #ifndef DOUBLE
  v2 ^= 0xff;
 #else
  v2 ^= 0xee;
 #endif
  TRACE;
  for (i = 0; i < dROUNDS; ++i)
    SIPROUND;
  b = v0 ^ v1 ^ v2 ^ v3;
  U64TO8_LE(out, b);
 #ifdef DOUBLE
  v1 ^= 0xdd;
  TRACE;
  for (i = 0; i < dROUNDS; ++i)
    SIPROUND;
  b = v0 ^ v1 ^ v2 ^ v3;
  U64TO8_LE(out + 8, b);
 #endif
  return 0;
 }
--- a/src/siphash24.h
+++ b/src/siphash24.h
@ -0,0 +1,18 @@
 #ifndef SIPHASH24_H
 #define SIPHASH24_H
 #define SIPHASH_KEYLEN 16
 #define SIPHASH_HASHLEN 8
 extern "C" {
 int _siphash(uint8_t *out, const uint8_t *in, uint64_t inlen, const uint8_t *k);
 }
 // [Bro] Wrapper for better type-safety.
 inline void siphash(uint64_t* digest, const uint8_t *in, uint64_t inlen, const uint8_t* key)
 	{
 	_siphash((uint8_t*)digest, in, inlen, key);
 	}
 #endif
--- a/src/threading/Formatter.h
+++ b/src/threading/Formatter.h
@ -23,7 +23,7 @@ public:
 	 * internal formatting.
 	 *
 	 */
-	Formatter(threading::MsgThread* t);
+	explicit Formatter(threading::MsgThread* t);
 	/**
 	 * Destructor.
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@ -64,7 +64,7 @@ public:
 	 *
 	 * @param msg  The message. It will be prefixed with the thread's name.
 	 */
-	void Info(const char* msg);
+	virtual void Info(const char* msg);
 	/**
 	 * Reports a warning from the child thread that may indicate a
@ -73,9 +73,14 @@ public:
 	 *
 	 * Only the child thread may call this method.
 	 *
 	 * Can be overriden in derived classed to hook into the error handling
 	 * but must should generally also call the parent implementation. Note
 	 * that this method is always called by the child thread and must not access
 	 * data or datastructures of the main thread directly.
 	 *
 	 * @param msg  The message. It will be prefixed with the thread's name.
 	 */
-	void Warning(const char* msg);
+	virtual void Warning(const char* msg);
 	/**
 	 * Reports a non-fatal error from the child thread. The main thread
@ -84,9 +89,14 @@ public:
 	 *
 	 * Only the child thread may call this method.
 	 *
 	 * Can be overriden in derived classed to hook into the error handling
 	 * but must should generally also call the parent implementation. Note
 	 * that this method is always called by the child thread and must not access
 	 * data or datastructures of the main thread directly.
 	 *
 	 * @param msg  The message. It will be prefixed with the thread's name.
 	 */
-	void Error(const char* msg);
+	virtual void Error(const char* msg);
 	/**
 	 * Reports a fatal error from the child thread. The main thread will
@ -223,10 +233,10 @@ protected:
 	 * Overriden from BasicThread.
 	 *
 	 */
-	virtual void Run();
+	void Run() override;
-	virtual void OnWaitForStop();
+	void OnWaitForStop() override;
-	virtual void OnSignalStop();
+	void OnSignalStop() override;
-	virtual void OnKill();
+	void OnKill() override;
 private:
 	/**
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@ -232,7 +232,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			val->val.int_val = 0;
 		else
 			{
-			GetThread()->Error(GetThread()->Fmt("Field: %s Invalid value for boolean: %s",
+			GetThread()->Warning(GetThread()->Fmt("Field: %s Invalid value for boolean: %s",
 				  name.c_str(), start));
 			goto parse_error;
 			}
@ -273,7 +273,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		size_t pos = unescaped.find("/");
 		if ( pos == unescaped.npos )
 			{
-			GetThread()->Error(GetThread()->Fmt("Invalid value for subnet: %s", start));
+			GetThread()->Warning(GetThread()->Fmt("Invalid value for subnet: %s", start));
 			goto parse_error;
 			}
@ -348,7 +348,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			if ( pos >= length )
 				{
-				GetThread()->Error(GetThread()->Fmt("Internal error while parsing set. pos %d >= length %d."
+				GetThread()->Warning(GetThread()->Fmt("Internal error while parsing set. pos %d >= length %d."
 				          " Element: %s", pos, length, element.c_str()));
 				error = true;
 				break;
@ -357,7 +357,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			threading::Value* newval = ParseValue(element, name, subtype);
 			if ( newval == 0 )
 				{
-				GetThread()->Error("Error while reading set or vector");
+				GetThread()->Warning("Error while reading set or vector");
 				error = true;
 				break;
 				}
@ -375,7 +375,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			lvals[pos] = ParseValue("", name, subtype);
 			if ( lvals[pos] == 0 )
 				{
-				GetThread()->Error("Error while trying to add empty set element");
+				GetThread()->Warning("Error while trying to add empty set element");
 				goto parse_error;
 				}
@ -394,7 +394,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		if ( pos != length )
 			{
-			GetThread()->Error(GetThread()->Fmt("Internal error while parsing set: did not find all elements: %s", start));
+			GetThread()->Warning(GetThread()->Fmt("Internal error while parsing set: did not find all elements: %s", start));
 			goto parse_error;
 			}
@ -402,7 +402,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		}
 	default:
-		GetThread()->Error(GetThread()->Fmt("unsupported field format %d for %s", type,
+		GetThread()->Warning(GetThread()->Fmt("unsupported field format %d for %s", type,
 						    name.c_str()));
 		goto parse_error;
 	}
@ -419,13 +419,13 @@ bool Ascii::CheckNumberError(const char* start, const char* end) const
 	threading::MsgThread* thread = GetThread();
 	if ( end == start && *end != '\0'  ) {
-		thread->Error(thread->Fmt("String '%s' contained no parseable number", start));
+		thread->Warning(thread->Fmt("String '%s' contained no parseable number", start));
 		return true;
 	}
 	if ( end - start == 0 && *end == '\0' )
 		{
-		thread->Error("Got empty string for number field");
+		thread->Warning("Got empty string for number field");
 		return true;
 		}
@ -434,13 +434,13 @@ bool Ascii::CheckNumberError(const char* start, const char* end) const
 	if ( errno == EINVAL )
 		{
-		thread->Error(thread->Fmt("String '%s' could not be converted to a number", start));
+		thread->Warning(thread->Fmt("String '%s' could not be converted to a number", start));
 		return true;
 		}
 	else if ( errno == ERANGE )
 		{
-		thread->Error(thread->Fmt("Number '%s' out of supported range.", start));
+		thread->Warning(thread->Fmt("Number '%s' out of supported range.", start));
 		return true;
 		}
--- a/src/types.bif
+++ b/src/types.bif
@ -170,3 +170,13 @@ type gtp_rai: record;
 type gtp_qos_profile: record;
 type gtp_private_extension: record;
 type gtp_gsn_addr: record;
 module Reporter;
 enum Level %{
 	INFO = 0,
 	WARNING = 1,
 	ERROR = 2,
 %}
 module GLOBAL;
--- a/src/util.cc
+++ b/src/util.cc
@ -695,9 +695,12 @@ std::string strstrip(std::string s)
 	return s;
 	}
-int hmac_key_set = 0;
+bool hmac_key_set = false;
 uint8 shared_hmac_md5_key[16];
 bool siphash_key_set = false;
 uint8 shared_siphash_key[SIPHASH_KEYLEN];
 void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16])
 	{
 	if ( ! hmac_key_set )
@ -789,19 +792,20 @@ void bro_srandom(unsigned int seed)
 		srandom(seed);
 	}
-void init_random_seed(uint32 seed, const char* read_file, const char* write_file)
+void init_random_seed(const char* read_file, const char* write_file)
 	{
-	static const int bufsiz = 16;
+	static const int bufsiz = 20;
 	uint32 buf[bufsiz];
 	memset(buf, 0, sizeof(buf));
 	int pos = 0;	// accumulates entropy
 	bool seeds_done = false;
 	uint32 seed = 0;
 	if ( read_file )
 		{
 		if ( ! read_random_seeds(read_file, &seed, buf, bufsiz) )
-			reporter->Error("Could not load seeds from file '%s'.\n",
+			reporter->FatalError("Could not load seeds from file '%s'.\n",
-					read_file);
+					     read_file);
 		else
 			seeds_done = true;
 		}
@ -812,12 +816,13 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 		gettimeofday((struct timeval *)(buf + pos), 0);
 		pos += sizeof(struct timeval) / sizeof(uint32);
 		// use urandom. For reasons see e.g. http://www.2uo.de/myths-about-urandom/
 #if defined(O_NONBLOCK)
-		int fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
+		int fd = open("/dev/urandom", O_RDONLY | O_NONBLOCK);
 #elif defined(O_NDELAY)
-		int fd = open("/dev/random", O_RDONLY | O_NDELAY);
+		int fd = open("/dev/urandom", O_RDONLY | O_NDELAY);
 #else
-		int fd = open("/dev/random", O_RDONLY);
+		int fd = open("/dev/urandom", O_RDONLY);
 #endif
 		if ( fd >= 0 )
@ -835,12 +840,7 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 			}
 		if ( pos < bufsiz )
-			{
+			reporter->FatalError("Could not read enough random data from /dev/urandom. Wanted %d, got %d", bufsiz, pos);
 			buf[pos++] = getpid();
 			if ( pos < bufsiz )
 				buf[pos++] = getuid();
 			}
 		if ( ! seed )
 			{
@ -864,8 +864,16 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 	if ( ! hmac_key_set )
 		{
-		MD5((const u_char*) buf, sizeof(buf), shared_hmac_md5_key);
+		assert(sizeof(buf) - 16 == 64);
-		hmac_key_set = 1;
+		MD5((const u_char*) buf, sizeof(buf) - 16, shared_hmac_md5_key); // The last 128 bits of buf are for siphash
 		hmac_key_set = true;
 		}
 	if ( ! siphash_key_set )
 		{
 		assert(sizeof(buf) - 64 == SIPHASH_KEYLEN);
 		memcpy(shared_siphash_key, reinterpret_cast<const char*>(buf) + 64, SIPHASH_KEYLEN);
 		siphash_key_set = true;
 		}
 	if ( write_file && ! write_random_seeds(write_file, seed, buf, bufsiz) )
--- a/src/util.h
+++ b/src/util.h
@ -23,13 +23,9 @@
 #include <string.h>
 #include <stdarg.h>
 #include <libgen.h>
 #include "bro-config.h"
-#if __STDC__
+#include "bro-config.h"
-#define myattribute __attribute__
+#include "siphash24.h"
 #else
 #define myattribute(x)
 #endif
 #ifdef DEBUG
@ -163,7 +159,7 @@ extern const char* fmt_bytes(const char* data, int len);
 // Note: returns a pointer into a shared buffer.
 extern const char* fmt(const char* format, ...)
-	myattribute((format (printf, 1, 2)));
+	__attribute__((format (printf, 1, 2)));
 extern const char* fmt_access_time(double time);
 extern bool ensure_intermediate_dirs(const char* dirname);
@ -181,10 +177,11 @@ extern std::string strreplace(const std::string& s, const std::string& o, const
 // Remove all leading and trailing white space from string.
 extern std::string strstrip(std::string s);
 extern bool hmac_key_set;
 extern uint8 shared_hmac_md5_key[16];
 extern bool siphash_key_set;
 extern uint8 shared_siphash_key[SIPHASH_KEYLEN];
 extern int hmac_key_set;
 extern unsigned char shared_hmac_md5_key[16];
 extern void hmac_md5(size_t size, const unsigned char* bytes,
 			unsigned char digest[16]);
@ -194,8 +191,7 @@ extern void hmac_md5(size_t size, const unsigned char* bytes,
 // over the "seed" argument.  If write_file is given, the seeds are written
 // to that file.
 //
-extern void init_random_seed(uint32 seed, const char* load_file,
+extern void init_random_seed(const char* load_file, const char* write_file);
 				const char* write_file);
 // Retrieves the initial seed computed after the very first call to
 // init_random_seed(). Repeated calls to init_random_seed() will not affect
--- a/testing/btest/Baseline/bifs.bloomfilter-seed/output
+++ b/testing/btest/Baseline/bifs.bloomfilter-seed/output
@ -1,8 +1,8 @@
-bf1, global_seed, 11979365913534242684
+bf1, global_seed, 4955302038280957656
-bf2, global_seed, 12550100962110750449
+bf2, global_seed, 11260532077783130352
-bf3, my_seed, 12550100962110750449
+bf3, my_seed, 4955302038280957656
-bf4, my_seed, 945716460325754659
+bf4, my_seed, 11260532077783130352
-bf1, global_seed, 12550100962110750449
+bf1, global_seed, 4955302038280957656
-bf2, global_seed, 945716460325754659
+bf2, global_seed, 11260532077783130352
-bf3, my_seed, 12550100962110750449
+bf3, my_seed, 4955302038280957656
-bf4, my_seed, 945716460325754659
+bf4, my_seed, 11260532077783130352
--- a/testing/btest/Baseline/bifs.bloomfilter/output
+++ b/testing/btest/Baseline/bifs.bloomfilter/output
@ -13,7 +13,6 @@ error: false-positive rate must take value between 0 and 1
 1
 1
 1, fp
 1, fp
 1
 1
 1
--- a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
+++ b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-03-09-20
+#open	2016-07-13-16-12-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1254722767.875996	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-1437831787.861602	CPbrpk1qSsw6ESzHV4	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-1437831799.610433	C7XEbhP654jzLoe3a	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-#close	2015-08-31-03-09-20
+#close	2016-07-13-16-12-36
--- a/testing/btest/Baseline/bifs.filter_subnet_table/output
+++ b/testing/btest/Baseline/bifs.filter_subnet_table/output
@ -1,16 +1,16 @@
 {
 10.0.0.0/8,
-10.2.0.2/31,
+10.2.0.0/16,
-10.2.0.0/16
+10.2.0.2/31
 }
 {
 [10.0.0.0/8] = a,
-[10.2.0.2/31] = c,
+[10.2.0.0/16] = b,
-[10.2.0.0/16] = b
+[10.2.0.2/31] = c
 }
 {
-[10.0.0.0/8] = a,
+[10.3.0.0/16] = e,
-[10.3.0.0/16] = e
+[10.0.0.0/8] = a
 }
 {
--- a/testing/btest/Baseline/bifs.hll_large_estimate/out
+++ b/testing/btest/Baseline/bifs.hll_large_estimate/out
@ -0,0 +1,3 @@
 Ok error
 171249.90868
 Ok error
--- a/testing/btest/Baseline/bifs.matching_subnets/output
+++ b/testing/btest/Baseline/bifs.matching_subnets/output
@ -1,16 +1,16 @@
 {
 10.0.0.0/8,
 10.3.0.0/16,
 10.2.0.2/31,
 2607:f8b0:4007:807::/64,
 10.2.0.0/16,
 5.2.0.0/32,
 5.5.0.0/25,
 10.1.0.0/16,
 5.0.0.0/8,
 2607:f8b0:4007:807::200e/128,
 7.2.0.0/32,
-2607:f8b0:4008:807::/64
+10.3.0.0/16,
 2607:f8b0:4007:807::200e/128,
 10.0.0.0/8,
 2607:f8b0:4007:807::/64,
 10.1.0.0/16,
 5.2.0.0/32,
 10.2.0.0/16,
 2607:f8b0:4008:807::/64,
 10.2.0.2/31,
 5.5.0.0/25
 }
 [10.2.0.2/31, 10.2.0.0/16, 10.0.0.0/8]
 [2607:f8b0:4007:807::200e/128, 2607:f8b0:4007:807::/64]
--- a/testing/btest/Baseline/bifs.netbios-functions/out
+++ b/testing/btest/Baseline/bifs.netbios-functions/out
@ -1,8 +1,8 @@
 MARTIN
 3
 WORKGROUP
 27
 ISATAP
 0
 \x01\x02__MSBROWSE__\x02
 1
 WORKGROUP
 27
 MARTIN
 3
 ISATAP
 0
--- a/testing/btest/Baseline/bifs.rand/out
+++ b/testing/btest/Baseline/bifs.rand/out
@ -1,6 +1,6 @@
-985
+20
-474
+484
-738
+137
 4
 634
 473
--- a/testing/btest/Baseline/bifs.rand/out.2
+++ b/testing/btest/Baseline/bifs.rand/out.2
@ -1,6 +1,6 @@
-985
+20
-474
+484
-738
+137
-974
+263
-371
+217
-638
+243
--- a/testing/btest/Baseline/bifs.records_fields/out
+++ b/testing/btest/Baseline/bifs.records_fields/out
@ -1,8 +1,8 @@
 [a=42, b=Foo, c=<uninitialized>, d=Bar]
 {
 [b] = [type_name=record, log=F, value=Foo, default_val=Foo],
 [d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>],
 [c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>]
+[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>],
 [d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>]
 }
 F
--- a/testing/btest/Baseline/bifs.unique_id/out
+++ b/testing/btest/Baseline/bifs.unique_id/out
@ -1,6 +1,6 @@
-A-56gKBmhBBB6
+A-rFj3eGxkRR5
-B-PjbroujOxH4
+B-q3FkxySjt2a
-C-N4zgPFAv3J
+C-Chd8EgFWk2j
-D-R8BqVlcp23e
+D-NHNewIpRB26
-E-duYdXg7bTa3
+E-V26Y5PaLbW3
-F-FSX5JvMaA88
+F-xUIu5RK8w0f
--- a/testing/btest/Baseline/core.bits_per_uid/128
+++ b/testing/btest/Baseline/core.bits_per_uid/128
@ -1,9 +1,9 @@
-CUWkUyAuUGXfarKYeMETxOg
+C2NNAAAHZBl4GS1DHFjwGM9
-Ck6kgXLOoSKlnQcgTWjvg4c
+CecCbjYTWM3dVm5giqnMf4h
 Fj3nTWNjezo6G6xBmyo58Tf
-Cj4u32Pc5bifTEfuqmmG4bh
+C6CWH0ZufRpfPJpwUYZZ6gc
 F4VAnSiNGSQhKEoCPd4zuQd
-CFrJExwHcSal5OKnoww6xl4
+CIdXDQc8a0ud0MLrsMUOJi2
 FaJg8mtdsS86cWjSe4spPPl
-C3PKsZ2Uye21VW0XPVINV8a
+Cae9B2GP1sJiMLUfNB0cl11
 FvBr89nD30GgGAp3wgtm6qf
--- a/testing/btest/Baseline/core.bits_per_uid/256
+++ b/testing/btest/Baseline/core.bits_per_uid/256
@ -1,9 +1,9 @@
-CUWkUyAuUGXfarKYeMETxOg
+C2NNAAAHZBl4GS1DHFjwGM9
-Ck6kgXLOoSKlnQcgTWjvg4c
+CecCbjYTWM3dVm5giqnMf4h
 Fj3nTWNjezo6G6xBmyo58Tf
-Cj4u32Pc5bifTEfuqmmG4bh
+C6CWH0ZufRpfPJpwUYZZ6gc
 F4VAnSiNGSQhKEoCPd4zuQd
-CFrJExwHcSal5OKnoww6xl4
+CIdXDQc8a0ud0MLrsMUOJi2
 FaJg8mtdsS86cWjSe4spPPl
-C3PKsZ2Uye21VW0XPVINV8a
+Cae9B2GP1sJiMLUfNB0cl11
 FvBr89nD30GgGAp3wgtm6qf
--- a/testing/btest/Baseline/core.bits_per_uid/32
+++ b/testing/btest/Baseline/core.bits_per_uid/32
@ -1,9 +1,9 @@
-CXWv6p30
+CHhAvV0
-CCyvnA30
+CRQjp520
 F75yAm10
-CjhGID40
+ClEkJM20
 FmGk6O30
-CdfHBz20
+CHZeJD30
 Fuh3fj10
-CCvvfg30
+C4J4Th30
 Ftwuyy30
--- a/testing/btest/Baseline/core.bits_per_uid/64
+++ b/testing/btest/Baseline/core.bits_per_uid/64
@ -1,9 +1,9 @@
-CUWkUyAuUGXf0
+C2NNAAAHZBl40
-CarKYeMETxOg0
+CGS1DHFjwGM90
 Fj3nTWNjezo60
-Ck6kgXLOoSKl0
+CecCbjYTWM3d0
 F4VAnSiNGSQh0
-CnQcgTWjvg4c0
+CVm5giqnMf4h0
 FaJg8mtdsS860
-Cj4u32Pc5bif0
+C6CWH0ZufRpf0
 FvBr89nD30Gg0
--- a/testing/btest/Baseline/core.bits_per_uid/96
+++ b/testing/btest/Baseline/core.bits_per_uid/96
@ -1,9 +1,9 @@
-CXWv6p3arKYeMETxOg
+CHhAvVGS1DHFjwGM9
-CjhGID4nQcgTWjvg4c
+ClEkJM2Vm5giqnMf4h
 F75yAm1G6xBmyo58Tf
-CCvvfg3TEfuqmmG4bh
+C4J4Th3PJpwUYZZ6gc
 FmGk6O3KEoCPd4zuQd
-CsRx2w45OKnoww6xl4
+CtPZjS20MLrsMUOJi2
 Fuh3fj1cWjSe4spPPl
-CRJuHdVW0XPVINV8a
+CUM0KZ3MLUfNB0cl11
 Ftwuyy3GAp3wgtm6qf
--- a/testing/btest/Baseline/core.checksums/bad.out
+++ b/testing/btest/Baseline/core.checksums/bad.out
@ -3,101 +3,101 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-04
+#open	2016-07-13-16-12-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	bro
-#close	2016-06-15-20-38-04
+#close	2016-07-13-16-12-42
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-06
+#open	2016-07-13-16-12-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784885.686428	CXWv6p3arKYeMETxOg	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	bro
+1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	bro
-#close	2016-06-15-20-38-06
+#close	2016-07-13-16-12-42
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-08
+#open	2016-07-13-16-12-43
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784933.501023	CXWv6p3arKYeMETxOg	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	bro
+1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	bro
-#close	2016-06-15-20-38-08
+#close	2016-07-13-16-12-43
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-10
+#open	2016-07-13-16-12-43
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075363.536871	CXWv6p3arKYeMETxOg	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	bro
+1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	bro
-#close	2016-06-15-20-38-10
+#close	2016-07-13-16-12-43
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-11
+#open	2016-07-13-16-12-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-1332785210.013051	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	bro
+1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	bro
-#close	2016-06-15-20-38-12
+#close	2016-07-13-16-12-44
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-13
+#open	2016-07-13-16-12-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-1332782580.798420	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	bro
+1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	bro
-#close	2016-06-15-20-38-13
+#close	2016-07-13-16-12-44
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-15
+#open	2016-07-13-16-12-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-1334075111.800086	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	bro
+1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	bro
-#close	2016-06-15-20-38-15
+#close	2016-07-13-16-12-45
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-16
+#open	2016-07-13-16-12-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785250.469132	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	bro
+1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	bro
-#close	2016-06-15-20-38-17
+#close	2016-07-13-16-12-45
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-18
+#open	2016-07-13-16-12-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332781342.923813	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	bro
+1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	bro
-#close	2016-06-15-20-38-18
+#close	2016-07-13-16-12-46
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-20
+#open	2016-07-13-16-12-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2016-06-15-20-38-20
+#close	2016-07-13-16-12-47
--- a/testing/btest/Baseline/core.checksums/good.out
+++ b/testing/btest/Baseline/core.checksums/good.out
@ -3,68 +3,68 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-20
+#open	2016-07-13-16-12-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2016-06-15-20-38-20
+#close	2016-07-13-16-12-47
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-27
+#open	2016-07-13-16-12-49
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-27
+#close	2016-07-13-16-12-49
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-28
+#open	2016-07-13-16-12-49
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-29
+#close	2016-07-13-16-12-49
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-30
+#open	2016-07-13-16-12-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-30
+#close	2016-07-13-16-12-50
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-30
+#open	2016-07-13-16-12-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-30
+#close	2016-07-13-16-12-50
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-30
+#open	2016-07-13-16-12-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-30
+#close	2016-07-13-16-12-50
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-06-15-20-38-30
+#open	2016-07-13-16-12-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-06-15-20-38-30
+#close	2016-07-13-16-12-50
--- a/testing/btest/Baseline/core.conn-uid/output
+++ b/testing/btest/Baseline/core.conn-uid/output
@ -1,43 +1,43 @@
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CXWv6p3arKYeMETxOg
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CHhAvVGS1DHFjwGM9
-[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], CjhGID4nQcgTWjvg4c
+[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], ClEkJM2Vm5giqnMf4h
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CCvvfg3TEfuqmmG4bh
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], C4J4Th3PJpwUYZZ6gc
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CsRx2w45OKnoww6xl4
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CtPZjS20MLrsMUOJi2
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CRJuHdVW0XPVINV8a
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CRJuHdVW0XPVINV8a
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], CPbrpk1qSsw6ESzHV4
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], CmES5u32sYpV7JYN
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], C6pKV8GSxOnSLghOa
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], CP5puj4I8PtEU4qzYg
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], CIPOse170MGiRM1Qf4
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], C37jN32gN3y3AZzyf6
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C7XEbhP654jzLoe3a
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CJ3xTn1c4Zw9TmAE05
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], CMXxB5GvmoxJFXdTa
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], C0LAHyvtKSQHyJxIl
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], Caby8b1slFea8xwSmb
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], CFLRIC3zaTU1loLGxh
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], Che1bq3i2rO3KD1Syg
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], C9rXSW3KSpTYvPrlI1
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3SfNE4BWaU4aSuwkc
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], CEle3f3zno26fFZkrh
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], C9mvWx3ezztgzcexV7
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], CwSkQu4eWZCH7OONC1
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], CNnMIj2QSd84NKf7U3
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], CfTOmO0HKorjr8Zp7
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], C7fIlMZDuRiqjpYbb
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CzA03V1VcgagLjnO92
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CyAhVIzHqb7t7kv28
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Cab0vO1xNYSS2hJkle
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], CpmdRlaUoJLN3uIRa
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], Cx2FqO23omNawSNrxj
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], C1Xkzz2MaGtLrc1Tla
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], Cx3C534wEyF3OvvcQe
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], CqlVyW1YwZ15RhTBc4
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CkDsfG2YIeWJmXWNWj
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], CUKS0W3HFYOnBqSE5e
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], CBA8792iHmnhPLksKa
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], CRrfvP2lalMAYOCLhj
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], CGLPPc35OzDQij1XX8
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], Cn78a440HlxuyZKs6f
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CJ3xTn1c4Zw9TmAE05
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C7XEbhP654jzLoe3a
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3SfNE4BWaU4aSuwkc
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CyAhVIzHqb7t7kv28
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CzA03V1VcgagLjnO92
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CkDsfG2YIeWJmXWNWj
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], Cn78a440HlxuyZKs6f
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CUof3F2yAIid8QS3dk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CUof3F2yAIid8QS3dk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CojBOU3CXcLHl1r6x1
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], Cipfzj1BEnhejw8cGf
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], CJzVQRGJrX6V15ik7
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], CV5WJ42jPYbNW9JNWf
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], ClAbxY1nmdjCuo0Le2
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], CPhDKt12KQPUVbQz06
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], CwG0BF1VXE0gWgs78
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], CAnFrb2Cvxr5T7quOc
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], CisNaL1Cm73CiNOmcg
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], C8rquZ3DjgNW06JGLl
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], CBQnJn22qN8TOeeZil
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], CzrZOtXqhwwndQva3
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], CbEsuD3dgDDngdlbKf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], CaGCc13FffXe6RkQl9
--- a/testing/btest/Baseline/core.fake_dns/out
+++ b/testing/btest/Baseline/core.fake_dns/out
@ -1,7 +1,7 @@
 {
 1d59:20f4:b44b:27a8:2bd:77c4:f053:6f5a,
 50cd:1a9a:1837:5803:9b08:41aa:738c:3f0b,
-477c:8c51:4f4f:61ec:9981:1259:86b8:8987,
+477c:8c51:4f4f:61ec:9981:1259:86b8:8987
 1d59:20f4:b44b:27a8:2bd:77c4:f053:6f5a
 }
 lookup_hostname_txt, fake_text_lookup_result_bro.wp.dg.cx
 lookup_hostname, {
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2016-07-13-17-58-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
 #close	2016-07-13-17-58-11
--- a/testing/btest/Baseline/core.ipv6-frag/dns.log
+++ b/testing/btest/Baseline/core.ipv6-frag/dns.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2016-06-15-03-33-34
+#open	2016-07-13-16-12-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	0.079300	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084278.438444	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	0.079300	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	5.084025	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084293.592245	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	5.084025	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-1331084298.593081	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	-	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
+1331084298.593081	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	-	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
-#close	2016-06-15-03-33-34
+#close	2016-07-13-16-12-54
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-33
+#open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1371685686.536606	CXWv6p3arKYeMETxOg	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	(empty)
+1371685686.536606	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	(empty)
-1371686961.156859	CjhGID4nQcgTWjvg4c	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	d	0	0	1	1500	(empty)
+1371686961.479321	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	(empty)
-1371686961.479321	CCvvfg3TEfuqmmG4bh	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	(empty)
+1371686961.156859	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	^d	0	0	1	1500	(empty)
-#close	2015-02-23-21-32-33
+#close	2016-07-13-16-12-55
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-35
+#open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
+1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.853899	CCvvfg3TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.853899	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CsRx2w45OKnoww6xl4	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.854378	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	CRJuHdVW0XPVINV8a	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.854837	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	CPbrpk1qSsw6ESzHV4	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.857956	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	C6pKV8GSxOnSLghOa	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.858306	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	CIPOse170MGiRM1Qf4	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.858713	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C7XEbhP654jzLoe3a	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.891644	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CJ3xTn1c4Zw9TmAE05	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.892037	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	CMXxB5GvmoxJFXdTa	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.892414	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	Caby8b1slFea8xwSmb	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475168.893988	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	Che1bq3i2rO3KD1Syg	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
+1300475168.894422	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	C3SfNE4BWaU4aSuwkc	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
+1300475168.894787	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	CEle3f3zno26fFZkrh	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
+1300475168.901749	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CwSkQu4eWZCH7OONC1	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
+1300475168.902195	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.652003	CjhGID4nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	(empty)
+1300475168.652003	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	(empty)
-#close	2015-02-23-21-32-35
+#close	2016-07-13-16-12-55
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-46
+#open	2016-07-13-16-12-56
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475168.892936	CXWv6p3arKYeMETxOg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
+1300475168.892936	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-#close	2015-02-23-21-32-46
+#close	2016-07-13-16-12-56
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2014-08-23-18-29-48
+#open	2016-07-13-16-12-56
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1408818588.510297	bro	port 50000	T	T
+1468426376.541368	bro	port 50000	T	T
-#close	2014-08-23-18-29-48
+#close	2016-07-13-16-12-56
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-47
+#open	2016-07-13-16-12-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1284385418.014560	CPbrpk1qSsw6ESzHV4	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	(empty)
+1284385417.962560	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	(empty)
-1284385417.962560	CRJuHdVW0XPVINV8a	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	(empty)
+1284385418.014560	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	(empty)
-1284385411.091560	CjhGID4nQcgTWjvg4c	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385411.035560	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	(empty)
-1284385411.035560	CXWv6p3arKYeMETxOg	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	(empty)
+1284385451.658560	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	(empty)
-1284385451.658560	C6pKV8GSxOnSLghOa	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	(empty)
+1284385412.963560	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	(empty)
-1284385413.027560	CsRx2w45OKnoww6xl4	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385413.027560	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
-1284385412.963560	CCvvfg3TEfuqmmG4bh	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	(empty)
+1284385411.091560	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
-#close	2015-02-23-21-32-47
+#close	2016-07-13-16-12-57
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-03-30-21-38-30
+#open	2016-07-13-16-12-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1278600802.069419	CXWv6p3arKYeMETxOg	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2015-03-30-21-38-30
+#close	2016-07-13-16-12-59
--- a/testing/btest/Baseline/core.print-bpf-filters/output
+++ b/testing/btest/Baseline/core.print-bpf-filters/output
@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2015-03-30-21-38-29
+#open	2016-07-13-16-12-57
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1427751509.034738	bro	ip or not ip	T	T
+1468426377.846975	bro	ip or not ip	T	T
-#close	2015-03-30-21-38-29
+#close	2016-07-13-16-12-57
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2015-03-30-21-38-29
+#open	2016-07-13-16-12-58
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1427751509.711080	bro	port 42	T	T
+1468426378.362651	bro	port 42	T	T
-#close	2015-03-30-21-38-29
+#close	2016-07-13-16-12-58
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2015-03-30-21-38-30
+#open	2016-07-13-16-12-58
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1427751510.380510	bro	(vlan) and (ip or not ip)	T	T
+1468426378.944945	bro	(vlan) and (ip or not ip)	T	T
-#close	2015-03-30-21-38-30
+#close	2016-07-13-16-12-59
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-51
+#open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1363900699.548138	CXWv6p3arKYeMETxOg	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)
+1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)
-1363900699.549647	CjhGID4nQcgTWjvg4c	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)
+1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)
-#close	2015-02-23-21-32-51
+#close	2016-07-13-16-13-00
--- a/testing/btest/Baseline/core.radiotap/conn.log
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-01-19-09-01-31
+#open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1439902891.705224	CXWv6p3arKYeMETxOg	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
-1439903050.580632	CjhGID4nQcgTWjvg4c	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
-#close	2016-01-19-09-01-31
+#close	2016-07-13-16-13-00
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-04-15-23-53-28
+#open	2016-07-13-16-13-01
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	(empty)
+1395939406.175845	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	(empty)
-1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
+1395939411.361078	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
-1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+1395939399.984671	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	(empty)
-#close	2015-04-15-23-53-28
+#close	2016-07-13-16-13-01
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2015-04-15-23-53-28
+#open	2016-07-13-16-13-01
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	CjhGID4nQcgTWjvg4c	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
+1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	ClEkJM2Vm5giqnMf4h	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
-1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	CCvvfg3TEfuqmmG4bh	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
+1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	C4J4Th3PJpwUYZZ6gc	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
-#close	2015-04-15-23-53-28
+#close	2016-07-13-16-13-01
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-32-57
+#open	2016-07-13-16-13-02
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1331764471.664131	CXWv6p3arKYeMETxOg	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	(empty)
+1331764471.664131	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	(empty)
-#close	2015-02-23-21-32-57
+#close	2016-07-13-16-13-02
--- a/testing/btest/Baseline/core.tcp.missing-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2016-07-13-17-58-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
 #close	2016-07-13-17-58-31
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2016-07-13-16-13-02
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1285862902.700271	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	-	-	24257	ShADadtR	17	1250	22	28961	(empty)
 #close	2016-07-13-16-13-03
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
@ -0,0 +1,43 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2016-07-13-16-13-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
 1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
 1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
 1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
 1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
 1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
 1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
 1300475168.858306	CFLRIC3zaTU1loLGxh	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
 1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
 1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
 1300475168.892037	CNnMIj2QSd84NKf7U3	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
 1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
 1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
 1300475168.894422	C1Xkzz2MaGtLrc1Tla	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
 1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
 1300475168.901749	CBA8792iHmnhPLksKa	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
 1300475168.902195	CGLPPc35OzDQij1XX8	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
 1300475169.899438	Cipfzj1BEnhejw8cGf	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
 1300475170.862384	CV5WJ42jPYbNW9JNWf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
 1300475171.675372	CPhDKt12KQPUVbQz06	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
 1300475171.677081	CAnFrb2Cvxr5T7quOc	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
 1300475173.116749	C8rquZ3DjgNW06JGLl	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
 1300475173.117362	CzrZOtXqhwwndQva3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
 1300475173.153679	CaGCc13FffXe6RkQl9	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
 1300475169.780331	CFSwNi4CNGxcuffo49	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	0	0	1	48	(empty)
 1300475168.892913	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
 1300475168.724007	CUM0KZ3MLUfNB0cl11	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
 1300475168.855330	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
 1300475168.855305	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
 1300475168.652003	CtPZjS20MLrsMUOJi2	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
 1300475168.902635	CiyBAq1bBLNaTiTAc	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
 1300475168.859163	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
 1300475168.892936	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
 1300475168.895267	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
 #close	2016-07-13-16-13-03
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@ -3,15 +3,15 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-01-15-18-40-13
+#open	2016-07-13-16-13-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1257655301.595604	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	-	0	ShADad	10	3605	11	5329	CCvvfg3TEfuqmmG4bh
+1257655301.595604	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	-	0	ShADad	10	3605	11	5329	C4J4Th3PJpwUYZZ6gc
-1257655296.585034	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	(empty)
+1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	(empty)
-1257655293.629048	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	d	0	0	1	176	(empty)
+1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	^d	0	0	1	176	(empty)
-1257655296.585333	C6pKV8GSxOnSLghOa	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CCvvfg3TEfuqmmG4bh
+1257655296.585333	CP5puj4I8PtEU4qzYg	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	C4J4Th3PJpwUYZZ6gc
-1257655293.629048	CjhGID4nQcgTWjvg4c	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	-	0	-	3	312	1	104	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
+1257655296.585151	CUM0KZ3MLUfNB0cl11	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
-1257655296.585188	CPbrpk1qSsw6ESzHV4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+1257655296.585034	CtPZjS20MLrsMUOJi2	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
-1257655296.585151	CRJuHdVW0XPVINV8a	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+1257655293.629048	ClEkJM2Vm5giqnMf4h	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	-	0	-	3	312	1	104	CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
-1257655296.585034	CsRx2w45OKnoww6xl4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
+1257655296.585188	CmES5u32sYpV7JYN	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
-#close	2016-01-15-18-40-13
+#close	2016-07-13-16-13-04
--- a/testing/btest/Baseline/core.tunnels.ayiya/http.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-06-15-05-35-59
+#open	2016-07-13-16-13-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1257655301.652206	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	(empty)	-	-	-	-	-	-	FYAtjT24MvCBUs5K5f	-	text/html
+1257655301.652206	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	(empty)	-	-	-	-	-	-	FYAtjT24MvCBUs5K5f	-	text/html
-1257655302.514424	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1257655302.514424	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
-1257655303.603569	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
+1257655303.603569	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	1.1	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-06-15-05-35-59
+#close	2016-07-13-16-13-04
--- a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#open	2016-01-15-18-40-13
+#open	2016-07-13-16-13-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1257655293.629048	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
+1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
-1257655296.585034	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
+1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
-1257655317.464035	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
+1257655317.464035	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
-1257655317.464035	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
+1257655317.464035	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
-#close	2016-01-15-18-40-13
+#close	2016-07-13-16-13-04
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-33-06
+#open	2016-07-13-16-13-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1341436440.002928	CRJuHdVW0XPVINV8a	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	-	-	0	D	2	104	0	0	CjhGID4nQcgTWjvg4c
+1341436424.378840	CtPZjS20MLrsMUOJi2	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	-	-	0	D	2	224	0	0	ClEkJM2Vm5giqnMf4h
-1341436424.378840	CsRx2w45OKnoww6xl4	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	-	-	0	D	2	224	0	0	CjhGID4nQcgTWjvg4c
+1341436440.002928	CUM0KZ3MLUfNB0cl11	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	-	-	0	D	2	104	0	0	ClEkJM2Vm5giqnMf4h
-1341436424.204043	CCvvfg3TEfuqmmG4bh	10.10.25.1	8	192.168.1.2	0	icmp	-	42.380221	22464	22464	OTH	-	-	0	-	312	31200	312	31200	CjhGID4nQcgTWjvg4c
+1341436424.204043	C4J4Th3PJpwUYZZ6gc	10.10.25.1	8	192.168.1.2	0	icmp	-	42.380221	22464	22464	OTH	-	-	0	-	312	31200	312	31200	ClEkJM2Vm5giqnMf4h
-#close	2015-02-23-21-33-06
+#close	2016-07-13-16-13-05
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#open	2014-01-16-21-51-36
+#open	2016-07-13-16-13-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1341436424.204043	CXWv6p3arKYeMETxOg	72.205.54.70	0	86.106.164.150	0	Tunnel::GRE	Tunnel::DISCOVER
+1341436424.204043	CHhAvVGS1DHFjwGM9	72.205.54.70	0	86.106.164.150	0	Tunnel::GRE	Tunnel::DISCOVER
-1341436424.204043	CjhGID4nQcgTWjvg4c	10.10.11.2	0	10.10.13.2	0	Tunnel::GRE	Tunnel::DISCOVER
+1341436424.204043	ClEkJM2Vm5giqnMf4h	10.10.11.2	0	10.10.13.2	0	Tunnel::GRE	Tunnel::DISCOVER
-#close	2014-01-16-21-51-36
+#close	2016-07-13-16-13-05
--- a/testing/btest/Baseline/core.tunnels.gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre/conn.log
@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2015-02-23-21-33-05
+#open	2016-07-13-16-13-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1055289978.756932	CsRx2w45OKnoww6xl4	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	-	-	0	ShAdDaFf	12	1584	10	2199	CXWv6p3arKYeMETxOg
+1055289978.756932	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	-	-	0	ShAdDaFf	12	1584	10	2199	CHhAvVGS1DHFjwGM9
-1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	-	-	0	D	2	122	0	0	CXWv6p3arKYeMETxOg
+1055289987.055189	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	-	-	0	D	2	122	0	0	CHhAvVGS1DHFjwGM9
-1055289996.849099	CIPOse170MGiRM1Qf4	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289973.849878	C4J4Th3PJpwUYZZ6gc	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	-	-	0	Dd	1	76	1	76	CHhAvVGS1DHFjwGM9
-1055289973.849878	CCvvfg3TEfuqmmG4bh	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289992.849231	CP5puj4I8PtEU4qzYg	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	-	-	0	Dd	1	76	1	76	CHhAvVGS1DHFjwGM9
-1055289992.849231	C6pKV8GSxOnSLghOa	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	-	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
+1055289996.849099	C37jN32gN3y3AZzyf6	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	-	-	0	Dd	1	76	1	76	CHhAvVGS1DHFjwGM9
-1055289968.793044	CjhGID4nQcgTWjvg4c	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	-	-	0	-	4	336	4	336	CXWv6p3arKYeMETxOg
+1055289968.793044	ClEkJM2Vm5giqnMf4h	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	-	-	0	-	4	336	4	336	CHhAvVGS1DHFjwGM9
-1055289987.106744	CPbrpk1qSsw6ESzHV4	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	-	-	0	-	2	178	0	0	CXWv6p3arKYeMETxOg
+1055289987.106744	CmES5u32sYpV7JYN	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	-	-	0	-	2	178	0	0	CHhAvVGS1DHFjwGM9
-#close	2015-02-23-21-33-05
+#close	2016-07-13-16-13-05
--- a/Show more
+++ b/Show more
		`@ -1 +1 @@`
			`Subproject commit 9319932eb10a902ada7e8bc08da21f9beed8ca4b`				`Subproject commit b7932813c6bc8a711334bdf2c4beecd7c5e351ca`
		`@ -1 +1 @@`
			`Subproject commit dbacbe51ce5d07f61ccfea3256616408351b6481`				`Subproject commit 3aef01c600b29e936348798bc27bdfb57ddf4053`
		`@ -0,0 +1 @@`
							`../../../../aux/plugins/elasticsearch-deprecated/README`
		`@ -1 +0,0 @@`
			`../../../../aux/plugins/elasticsearch/README`
		`@ -1 +1 @@`
			`Subproject commit f1eaca0e085a8b37ec6a32c7e1b0e9571414a2e3`				`Subproject commit 0bbd6e8fd0e1ad6dc3002244d11c79d4bc63831d`
`@ -13,7 +13,6 @@ error: false-positive rate must take value between 0 and 1`
	`1`	`1`
	`1`	`1`
	`1, fp`	`1, fp`
	`1, fp`
	`1`	`1`
	`1`	`1`
	`1`	`1`
`@ -1,6 +1,6 @@`
	`985`	`20`
	`474`	`484`
	`738`	`137`
	`4`	`4`
	`634`	`634`
	`473`	`473`