Add Teredo packet analyzer, disable old analyzer

scripts/base/frameworks/tunnels/main.zeek

@@ -90,15 +90,13 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { teredo_ports, gtpv1_ports };
+redef likely_server_ports += { gtpv1_ports };
 
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
 
-	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 

scripts/base/packet-protocols/__load__.zeek

@@ -24,3 +24,4 @@
 @load base/packet-protocols/ayiya
 @load base/packet-protocols/geneve
 @load base/packet-protocols/vxlan
+@load base/packet-protocols/teredo

scripts/base/packet-protocols/teredo/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/teredo/main.zeek

@@ -0,0 +1,28 @@
+module PacketAnalyzer::TEREDO;
+
+# This needs to be loaded here so the functions are available. Function BIFs normally aren't
+# loaded until after the packet analysis init scripts are run, and then zeek complains it
+# can't find the function.
+@load base/bif/plugins/Zeek_Teredo.functions.bif
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+export {
+        ## Default analyzer
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+}
+
+const teredo_ports = { 3544/udp };
+redef likely_server_ports += { teredo_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO);
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, teredo_ports);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	remove_teredo_connection(c$id);
+	}

scripts/base/protocols/tunnels/dpd.sig

@@ -1,8 +1,2 @@
 # Provide DPD signatures for tunneling protocols that otherwise
 # wouldn't be detected at all.
-
-signature dpd_teredo {
-  ip-proto = udp
-  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
-  enable "teredo"
-}

src/IPAddr.cc

@@ -24,8 +24,93 @@ namespace detail
 
 ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
                  TransportProto t, bool one_way)
-	: transport(t)
 	{
+	Init(src, dst, src_port, dst_port, t, one_way);
+	}
+
+ConnKey::ConnKey(const ConnTuple& id)
+	{
+	Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way);
+	}
+
+ConnKey& ConnKey::operator=(const ConnKey& rhs)
+	{
+	if ( this == &rhs )
+		return *this;
+
+	// Because of padding in the object, this needs to memset to clear out
+	// the extra memory used by padding. Otherwise, the session key stuff
+	// doesn't work quite right.
+	memset(this, 0, sizeof(ConnKey));
+
+	memcpy(&ip1, &rhs.ip1, sizeof(in6_addr));
+	memcpy(&ip2, &rhs.ip2, sizeof(in6_addr));
+	port1 = rhs.port1;
+	port2 = rhs.port2;
+	transport = rhs.transport;
+	valid = rhs.valid;
+
+	return *this;
+	}
+
+ConnKey::ConnKey(Val* v)
+	{
+	const auto& vt = v->GetType();
+	if ( ! IsRecord(vt->Tag()) )
+		{
+		valid = false;
+		return;
+		}
+
+	RecordType* vr = vt->AsRecordType();
+	auto vl = v->As<RecordVal*>();
+
+	int orig_h, orig_p; // indices into record's value list
+	int resp_h, resp_p;
+
+	if ( vr == id::conn_id )
+		{
+		orig_h = 0;
+		orig_p = 1;
+		resp_h = 2;
+		resp_p = 3;
+		}
+	else
+		{
+		// While it's not a conn_id, it may have equivalent fields.
+		orig_h = vr->FieldOffset("orig_h");
+		resp_h = vr->FieldOffset("resp_h");
+		orig_p = vr->FieldOffset("orig_p");
+		resp_p = vr->FieldOffset("resp_p");
+
+		if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 )
+			{
+			valid = false;
+			return;
+			}
+
+		// ### we ought to check that the fields have the right
+		// types, too.
+		}
+
+	const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
+	const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
+
+	auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
+	auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);
+
+	Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()),
+	     htons((unsigned short)resp_portv->Port()), orig_portv->PortType(), false);
+	}
+
+void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
+                   TransportProto t, bool one_way)
+	{
+	// Because of padding in the object, this needs to memset to clear out
+	// the extra memory used by padding. Otherwise, the session key stuff
+	// doesn't work quite right.
+	memset(this, 0, sizeof(ConnKey));
+
 	// Lookup up connection based on canonical ordering, which is
 	// the smaller of <src addr, src port> and <dst addr, dst port>
 	// followed by the other.
@@ -43,25 +128,9 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16
 		port1 = dst_port;
 		port2 = src_port;
 		}
-	}
 
-ConnKey::ConnKey(const ConnTuple& id)
-	: ConnKey(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way)
-	{
-	}
-
-ConnKey& ConnKey::operator=(const ConnKey& rhs)
-	{
-	if ( this == &rhs )
-		return *this;
-
-	memcpy(&ip1, &rhs.ip1, sizeof(in6_addr));
-	memcpy(&ip2, &rhs.ip2, sizeof(in6_addr));
-	port1 = rhs.port1;
-	port2 = rhs.port2;
-	transport = rhs.transport;
-
-	return *this;
+	transport = t;
+	valid = true;
 	}
 
 	} // namespace detail

src/IPAddr.h

@@ -17,24 +17,28 @@ namespace zeek
 
 class String;
 struct ConnTuple;
+class Val;
 
 namespace detail
 	{
 
 class HashKey;
 
-struct ConnKey
+class ConnKey
 	{
+public:
 	in6_addr ip1;
 	in6_addr ip2;
-	uint16_t port1;
-	uint16_t port2;
-	TransportProto transport;
+	uint16_t port1 = 0;
+	uint16_t port2 = 0;
+	TransportProto transport = TRANSPORT_UNKNOWN;
+	bool valid = true;
 
 	ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
 	        TransportProto t, bool one_way);
 	ConnKey(const ConnTuple& conn);
 	ConnKey(const ConnKey& rhs) { *this = rhs; }
+	ConnKey(Val* v);
 
 	bool operator<(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) < 0; }
 	bool operator<=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) <= 0; }
@@ -44,6 +48,10 @@ struct ConnKey
 	bool operator>(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) > 0; }
 
 	ConnKey& operator=(const ConnKey& rhs);
+
+private:
+	void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
+	          TransportProto t, bool one_way);
 	};
 
 using ConnIDKey [[deprecated("Remove in v5.1. Use zeek::detail::ConnKey.")]] = ConnKey;
@@ -430,7 +438,7 @@ public:
 	static const IPAddr v6_unspecified;
 
 private:
-	friend struct detail::ConnKey;
+	friend class detail::ConnKey;
 	friend class IPPrefix;
 
 	/**

src/RE.h

@@ -109,6 +109,7 @@ public:
 	// in an attempt to match at least one character.
 	int Match(const char* s);
 	int Match(const String* s);
+	int Match(const u_char* bv, int n);
 
 	int LongestMatch(const char* s);
 	int LongestMatch(const String* s);
@@ -136,7 +137,6 @@ protected:
 	void AddPat(const char* pat, const char* orig_fmt, const char* app_fmt);
 
 	bool MatchAll(const u_char* bv, int n);
-	int Match(const u_char* bv, int n);
 
 	match_type mt;
 	int multiline;
@@ -228,6 +228,8 @@ public:
 	int MatchPrefix(const String* s) { return re_exact->LongestMatch(s); }
 	int MatchPrefix(const u_char* s, int n) { return re_exact->LongestMatch(s, n); }
 
+	bool Match(const u_char* s, int n) { return re_anywhere->Match(s, n); }
+
 	const char* PatternText() const { return re_exact->PatternText(); }
 	const char* AnywherePatternText() const { return re_anywhere->PatternText(); }
 

src/analyzer/protocol/CMakeLists.txt

@@ -41,7 +41,7 @@ add_subdirectory(ssh)
 add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
-add_subdirectory(teredo)
+#add_subdirectory(teredo)
 #add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)

src/packet_analysis/protocol/CMakeLists.txt

@@ -25,3 +25,4 @@ add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
 add_subdirectory(geneve)
 add_subdirectory(vxlan)
+add_subdirectory(teredo)

src/packet_analysis/protocol/teredo/CMakeLists.txt

@@ -0,0 +1,7 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek Teredo)
+zeek_plugin_cc(Teredo.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()

src/packet_analysis/protocol/teredo/Plugin.cc

@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+
+namespace zeek::plugin::detail::Zeek_Teredo
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"Teredo", zeek::packet_analysis::teredo::TeredoAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::Teredo";
+		config.description = "Teredo packet analyzer";
+		return config;
+		}
+	} plugin;
+
+	} // namespace zeek::plugin::detail::Zeek_Teredo

src/packet_analysis/protocol/teredo/Teredo.cc

@@ -0,0 +1,280 @@
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+
+#include "zeek/Conn.h"
+#include "zeek/IP.h"
+#include "zeek/RE.h"
+#include "zeek/Reporter.h"
+#include "zeek/RunState.h"
+#include "zeek/TunnelEncapsulation.h"
+#include "zeek/ZeekString.h"
+#include "zeek/packet_analysis/protocol/ip/IP.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+#include "zeek/packet_analysis/protocol/teredo/events.bif.h"
+
+namespace zeek::packet_analysis::teredo
+	{
+
+namespace detail
+	{
+
+bool TeredoEncapsulation::DoParse(const u_char* data, size_t& len, bool found_origin,
+                                  bool found_auth)
+	{
+	if ( len < 2 )
+		{
+		Weird("truncated_Teredo");
+		return false;
+		}
+
+	uint16_t tag = ntohs((*((const uint16_t*)data)));
+
+	if ( tag == 0 )
+		{
+		// Origin Indication
+		if ( found_origin )
+			// can't have multiple origin indications
+			return false;
+
+		if ( len < 8 )
+			{
+			Weird("truncated_Teredo_origin_indication");
+			return false;
+			}
+
+		origin_indication = data;
+		len -= 8;
+		data += 8;
+		return DoParse(data, len, true, found_auth);
+		}
+
+	else if ( tag == 1 )
+		{
+		// Authentication
+		if ( found_origin || found_auth )
+			// can't have multiple authentication headers and can't come after
+			// an origin indication
+			return false;
+
+		if ( len < 4 )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		uint8_t id_len = data[2];
+		uint8_t au_len = data[3];
+		uint16_t tot_len = 4 + id_len + au_len + 8 + 1;
+
+		if ( len < tot_len )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		auth = data;
+		len -= tot_len;
+		data += tot_len;
+		return DoParse(data, len, found_origin, true);
+		}
+
+	else if ( ((tag & 0xf000) >> 12) == 6 )
+		{
+		// IPv6
+		if ( len < 40 )
+			{
+			Weird("truncated_IPv6_in_Teredo");
+			return false;
+			}
+
+		// There's at least a possible IPv6 header, we'll decide what to do
+		// later if the payload length field doesn't match the actual length
+		// of the packet.
+		inner_ip = data;
+		return true;
+		}
+
+	return false;
+	}
+
+RecordValPtr TeredoEncapsulation::BuildVal(const std::shared_ptr<IP_Hdr>& inner) const
+	{
+	static auto teredo_hdr_type = id::find_type<RecordType>("teredo_hdr");
+	static auto teredo_auth_type = id::find_type<RecordType>("teredo_auth");
+	static auto teredo_origin_type = id::find_type<RecordType>("teredo_origin");
+
+	auto teredo_hdr = make_intrusive<RecordVal>(teredo_hdr_type);
+
+	if ( auth )
+		{
+		auto teredo_auth = make_intrusive<RecordVal>(teredo_auth_type);
+		uint8_t id_len = *((uint8_t*)(auth + 2));
+		uint8_t au_len = *((uint8_t*)(auth + 3));
+		uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len)));
+		uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8));
+		teredo_auth->Assign(0, new String(auth + 4, id_len, true));
+		teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true));
+		teredo_auth->Assign(2, nonce);
+		teredo_auth->Assign(3, conf);
+		teredo_hdr->Assign(0, std::move(teredo_auth));
+		}
+
+	if ( origin_indication )
+		{
+		auto teredo_origin = make_intrusive<RecordVal>(teredo_origin_type);
+		uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF;
+		uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF;
+		teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP));
+		teredo_origin->Assign(1, make_intrusive<AddrVal>(htonl(addr)));
+		teredo_hdr->Assign(1, std::move(teredo_origin));
+		}
+
+	teredo_hdr->Assign(2, inner->ToPktHdrVal());
+	return teredo_hdr;
+	}
+
+	} // namespace detail
+
+TeredoAnalyzer::TeredoAnalyzer() : zeek::packet_analysis::Analyzer("TEREDO")
+	{
+	// The pattern matching below is based on this old DPD signature
+	// signature dpd_teredo {
+	// 	ip-proto = udp
+	// 	payload
+	// /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
+	// 	enable "teredo"
+	// 	}
+
+	pattern_re = std::make_unique<zeek::detail::Specific_RE_Matcher>(zeek::detail::MATCH_EXACTLY,
+	                                                                 1);
+	pattern_re->AddPat("^(\\x00\\x00)|(\\x00\\x01)|([\\x60-\\x6f].{7}((\\x20\\x01\\x00\\x00)).{28})"
+	                   "|([\\x60-\\x6f].{23}((\\x20\\x01\\x00\\x00))).{12}");
+	pattern_re->Compile();
+	}
+
+bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_teredo )
+		return false;
+
+	// Teredo always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Store this off for the span of the
+	// processing so that it can be used for other things. Return a weird if we didn't
+	// have a session stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("teredo_missing_connection");
+		return false;
+		}
+	else if ( AnalyzerViolated(packet->session) )
+		return false;
+
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Analyzer::Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	conn = static_cast<Connection*>(packet->session);
+	zeek::detail::ConnKey conn_key = conn->Key();
+
+	OrigRespMap::iterator or_it = orig_resp_map.find(conn_key);
+	if ( or_it == orig_resp_map.end() )
+		or_it = orig_resp_map.insert(or_it, {conn_key, {}});
+
+	detail::TeredoEncapsulation te(this);
+	if ( ! te.Parse(data, len) )
+		{
+		AnalyzerViolation("Bad Teredo encapsulation", conn, (const char*)data, len);
+		return false;
+		}
+
+	// TODO: i'm not sure about this. on the one hand, we do some error checking with the result
+	// but on the other hand we duplicate this work here. maybe this header could just be stored
+	// and reused in the IP analyzer somehow?
+	std::shared_ptr<IP_Hdr> inner = nullptr;
+	int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
+	if ( rslt > 0 )
+		{
+		if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 )
+			// Teredo bubbles having data after IPv6 header isn't strictly a
+			// violation, but a little weird.
+			Weird("Teredo_bubble_with_payload", true);
+		else
+			{
+			AnalyzerViolation("Teredo payload length", conn, (const char*)data, len);
+			return false;
+			}
+		}
+
+	if ( rslt == 0 || rslt > 0 )
+		{
+		if ( packet->is_orig )
+			or_it->second.valid_orig = true;
+		else
+			or_it->second.valid_resp = true;
+
+		Confirm(or_it->second.valid_orig, or_it->second.valid_resp);
+		}
+	else
+		{
+		AnalyzerViolation("Truncated Teredo or invalid inner IP version", conn, (const char*)data,
+		                  len);
+		return false;
+		}
+
+	ValPtr teredo_hdr;
+
+	if ( teredo_packet )
+		{
+		teredo_hdr = te.BuildVal(inner);
+		packet->session->EnqueueEvent(teredo_packet, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( te.Authentication() && teredo_authentication )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_authentication, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( te.OriginIndication() && teredo_origin_indication )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_origin_indication, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_bubble, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, te.InnerIP(), DLT_RAW, BifEnum::Tunnel::TEREDO,
+		GetAnalyzerTag());
+
+	return ForwardPacket(len, te.InnerIP(), inner_packet.get());
+	}
+
+bool TeredoAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_teredo )
+		return false;
+
+	if ( ! pattern_re->Match(data, len) )
+		return false;
+
+	return true;
+	}
+
+	} // namespace zeek::packet_analysis::teredo

src/packet_analysis/protocol/teredo/Teredo.h

@@ -0,0 +1,106 @@
+#pragma once
+
+#include <map>
+
+#include "zeek/Conn.h"
+#include "zeek/NetVar.h"
+#include "zeek/RE.h"
+#include "zeek/Reporter.h"
+#include "zeek/packet_analysis/Analyzer.h"
+
+namespace zeek::packet_analysis::teredo
+	{
+
+class TeredoAnalyzer final : public packet_analysis::Analyzer
+	{
+public:
+	TeredoAnalyzer();
+	~TeredoAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<TeredoAnalyzer>();
+		}
+
+	/**
+	 * Emits a weird only if the analyzer has previously been able to
+	 * decapsulate a Teredo packet in both directions or if *force* param is
+	 * set, since otherwise the weirds could happen frequently enough to be less
+	 * than helpful.  The *force* param is meant for cases where just one side
+	 * has a valid encapsulation and so the weird would be informative.
+	 */
+	void Weird(const char* name, bool force = false) const
+		{
+		if ( AnalyzerConfirmed(conn) || force )
+			reporter->Weird(conn, name, "", GetAnalyzerName());
+		}
+
+	/**
+	 * If the delayed confirmation option is set, then a valid encapsulation
+	 * seen from both end points is required before confirming.
+	 */
+	void Confirm(bool valid_orig, bool valid_resp)
+		{
+		if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) )
+			{
+			AnalyzerConfirmation(conn);
+			}
+		}
+
+	bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) override;
+
+	void RemoveConnection(const zeek::detail::ConnKey& conn_key) { orig_resp_map.erase(conn_key); }
+
+protected:
+	Connection* conn = nullptr;
+
+	struct OrigResp
+		{
+		bool valid_orig = false;
+		bool valid_resp = false;
+		bool confirmed = false;
+		};
+	using OrigRespMap = std::map<zeek::detail::ConnKey, OrigResp>;
+	OrigRespMap orig_resp_map;
+
+	std::unique_ptr<zeek::detail::Specific_RE_Matcher> pattern_re;
+	};
+
+namespace detail
+	{
+
+class TeredoEncapsulation
+	{
+public:
+	explicit TeredoEncapsulation(const TeredoAnalyzer* ta) : analyzer(ta) { }
+
+	/**
+	 * Returns whether input data parsed as a valid Teredo encapsulation type.
+	 * If it was valid, the len argument is decremented appropriately.
+	 */
+	bool Parse(const u_char* data, size_t& len) { return DoParse(data, len, false, false); }
+
+	const u_char* InnerIP() const { return inner_ip; }
+
+	const u_char* OriginIndication() const { return origin_indication; }
+
+	const u_char* Authentication() const { return auth; }
+
+	RecordValPtr BuildVal(const std::shared_ptr<IP_Hdr>& inner) const;
+
+private:
+	bool DoParse(const u_char* data, size_t& len, bool found_orig, bool found_au);
+
+	void Weird(const char* name) const { analyzer->Weird(name); }
+
+	const u_char* inner_ip = nullptr;
+	const u_char* origin_indication = nullptr;
+	const u_char* auth = nullptr;
+	const TeredoAnalyzer* analyzer = nullptr;
+	};
+
+	} // namespace detail
+
+	} // namespace zeek::packet_analysis::teredo

src/packet_analysis/protocol/teredo/events.bif

@@ -0,0 +1,55 @@
+## Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_packet%(outer: connection, inner: teredo_hdr%);
+
+## Generated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo authentication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_authentication%(outer: connection, inner: teredo_hdr%);
+
+## Generated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo origin indication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
+
+## Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_bubble%(outer: connection, inner: teredo_hdr%);
+

src/packet_analysis/protocol/teredo/functions.bif

@@ -0,0 +1,20 @@
+module PacketAnalyzer::TEREDO;
+
+%%{
+#include "zeek/Conn.h"
+#include "zeek/session/Manager.h"
+#include "zeek/packet_analysis/Manager.h"
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+%%}
+
+function remove_teredo_connection%(cid: conn_id%) : bool
+	%{
+	zeek::packet_analysis::AnalyzerPtr teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
+	if ( teredo )
+		{
+		zeek::detail::ConnKey conn_key(cid);
+		static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
+		}
+
+	return zeek::val_mgr->True();
+	%}

src/session/Manager.cc

@@ -101,48 +101,11 @@ void Manager::Done() { }
 
 Connection* Manager::FindConnection(Val* v)
 	{
-	const auto& vt = v->GetType();
-	if ( ! IsRecord(vt->Tag()) )
+	zeek::detail::ConnKey conn_key(v);
+
+	if ( ! conn_key.valid )
 		return nullptr;
 
-	RecordType* vr = vt->AsRecordType();
-	auto vl = v->As<RecordVal*>();
-
-	int orig_h, orig_p; // indices into record's value list
-	int resp_h, resp_p;
-
-	if ( vr == id::conn_id )
-		{
-		orig_h = 0;
-		orig_p = 1;
-		resp_h = 2;
-		resp_p = 3;
-		}
-	else
-		{
-		// While it's not a conn_id, it may have equivalent fields.
-		orig_h = vr->FieldOffset("orig_h");
-		resp_h = vr->FieldOffset("resp_h");
-		orig_p = vr->FieldOffset("orig_p");
-		resp_p = vr->FieldOffset("resp_p");
-
-		if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 )
-			return nullptr;
-
-		// ### we ought to check that the fields have the right
-		// types, too.
-		}
-
-	const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
-	const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
-
-	auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
-	auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);
-
-	zeek::detail::ConnKey conn_key(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()),
-	                               htons((unsigned short)resp_portv->Port()),
-	                               orig_portv->PortType(), false);
-
 	return FindConnection(conn_key);
 	}
 

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -73,6 +73,9 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/geneve/main.zeek
     scripts/base/packet-protocols/vxlan/__load__.zeek
       scripts/base/packet-protocols/vxlan/main.zeek
+    scripts/base/packet-protocols/teredo/__load__.zeek
+      scripts/base/packet-protocols/teredo/main.zeek
+        build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -73,6 +73,9 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/geneve/main.zeek
     scripts/base/packet-protocols/vxlan/__load__.zeek
       scripts/base/packet-protocols/vxlan/main.zeek
+    scripts/base/packet-protocols/teredo/__load__.zeek
+      scripts/base/packet-protocols/teredo/main.zeek
+        build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -59,7 +59,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
@@ -122,7 +121,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
@@ -151,7 +149,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
@@ -580,9 +577,11 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -632,6 +631,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
@@ -646,6 +646,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -676,6 +677,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
@@ -804,6 +806,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> -1
@@ -921,6 +924,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/active-http, <...>/active-http.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/addrs, <...>/addrs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
@@ -1029,6 +1033,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/syslog, <...>/syslog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tcp, <...>/tcp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/teredo, <...>/teredo) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/time, <...>/time.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels, <...>/tunnels) -> -1
@@ -1175,6 +1180,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, <no content>)
@@ -1292,6 +1298,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
@@ -1400,6 +1407,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/teredo, <...>/teredo) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, <no content>)
@@ -1496,7 +1504,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
@@ -1559,7 +1566,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
@@ -1588,7 +1594,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
@@ -2017,9 +2022,11 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
@@ -2069,6 +2076,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
@@ -2083,6 +2091,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -2113,6 +2122,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (3544/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
@@ -2241,6 +2251,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
@@ -2358,6 +2369,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/active-http, <...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/addrs, <...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
@@ -2466,6 +2478,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/syslog, <...>/syslog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/teredo, <...>/teredo)
 0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/time, <...>/time.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels, <...>/tunnels)
@@ -2612,6 +2625,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
@@ -2729,6 +2743,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
@@ -2837,6 +2852,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/syslog, <...>/syslog)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/teredo, <...>/teredo)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/time, <...>/time.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tunnels, <...>/tunnels)
@@ -2933,7 +2949,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
@@ -2996,7 +3011,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
@@ -3025,7 +3039,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
@@ -3453,9 +3466,11 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
@@ -3505,6 +3520,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
@@ -3519,6 +3535,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -3549,6 +3566,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(3544/udp)
 0.000000 | HookCallFunction port_to_count(4789/udp)
 0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction port_to_count(6081/udp)
@@ -3677,6 +3695,7 @@
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
@@ -3806,6 +3825,7 @@
 0.000000 | HookLoadFile  base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  base<...>/active-http <...>/active-http.zeek
 0.000000 | HookLoadFile  base<...>/addrs <...>/addrs.zeek
 0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
@@ -3914,6 +3934,7 @@
 0.000000 | HookLoadFile  base<...>/supervisor.bif <...>/supervisor.bif.zeek
 0.000000 | HookLoadFile  base<...>/syslog <...>/syslog
 0.000000 | HookLoadFile  base<...>/tcp <...>/tcp
+0.000000 | HookLoadFile  base<...>/teredo <...>/teredo
 0.000000 | HookLoadFile  base<...>/thresholds <...>/thresholds.zeek
 0.000000 | HookLoadFile  base<...>/time <...>/time.zeek
 0.000000 | HookLoadFile  base<...>/tunnels <...>/tunnels
@@ -4048,6 +4069,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
@@ -4177,6 +4199,7 @@
 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek
 0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek
 0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
@@ -4285,6 +4308,7 @@
 0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog
 0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp
+0.000000 | HookLoadFileExtended base<...>/teredo <...>/teredo
 0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek
 0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek
 0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels
@@ -4782,6 +4806,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
@@ -4819,6 +4844,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
@@ -4857,6 +4883,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking()

testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
->  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid CHhAvVGS1DHFjwGM9)
+>  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid ClEkJM2Vm5giqnMf4h)
    test
    # 141.42.64.125 = <skipped>  125.190.109.199 = <skipped>
 

testing/btest/Baseline/signatures.dpd/dpd-ipv4.out

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous

testing/btest/Baseline/signatures.dpd/dpd-ipv6.out

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous

testing/btest/Baseline/signatures.dpd/nosig-ipv4.out

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4

testing/btest/Baseline/signatures.dpd/nosig-ipv6.out

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4