Merge remote-tracking branch 'origin/topic/vern/ast-opt'

- Removed a stray `printf()` from script-opt Reduce code * origin/topic/vern/ast-opt: (23 commits) Tweak minor const-ref/std::move things in script-opt code Add alternative 'xform' baseline for test: broker.store.create-failure Add explicit return value to Reducer::SameOp() fixed AST transformation logic for boolean expressions don't know how I overlooked these minor test suite updates "opt" btest baseline updates due to AST optimizations changing printed code "opt" baseline exceptions due to incompatibility with optimize-AST and -u new "opt" btest alternative update to "xform" test suite baseline due to recent line number changes logic for driving AST optimization when requested methods implementing AST optimization (aliasing, constant propagation, CSE) helper class checking if common-subexpression elimination opportunity is valid helper function for comparing collections of definition points track more information about temporary variables simplify and tidy up some interfaces enable setting "-O optimize-AST" option fix for reducing operations on boolean vectors control whether checking for type-equivalence generates warnings remove unneeded virtual method (same as inherited method) accessors for additional Expr subclasses ...
2025-10-02 06:38:20 +00:00 · 2021-03-08 18:28:22 -08:00 · 2021-03-08 18:28:22 -08:00 · f2d3bf3037
commit f2d3bf3037
parent 8e684609d2 b66f4ad500
26 changed files with 15968 additions and 146 deletions
--- a/32
+++ b/32
@ -1,4 +1,36 @@

+4.1.0-dev.314 | 2021-03-08 18:28:22 -0800
+
+  * new "opt" btest alternative (Vern Paxson, Corelight)
+
+  * update to "xform" test suite baseline due to recent line number changes (Vern Paxson, Corelight)
+
+  * logic for driving AST optimization when requested (Vern Paxson, Corelight)
+
+  * methods implementing AST optimization (aliasing, constant propagation, CSE) (Vern Paxson, Corelight)
+
+  * helper class checking if common-subexpression elimination opportunity is valid (Vern Paxson, Corelight)
+
+  * helper function for comparing collections of definition points (Vern Paxson, Corelight)
+
+  * track more information about temporary variables (Vern Paxson, Corelight)
+
+  * simplify and tidy up some script-opt interfaces (Vern Paxson, Corelight)
+
+  * enable setting "-O optimize-AST" option (Vern Paxson, Corelight)
+
+  * fix for reducing operations on boolean vectors (Vern Paxson, Corelight)
+
+  * Add flag to FuncType::CheckArgs() to control type-equivalence warning output (Vern Paxson, Corelight)
+
+  * remove unneeded IndexExpr::Traverse() virtual method (same as inherited method) (Vern Paxson, Corelight)
+
+  * accessors for additional Expr subclasses (Vern Paxson, Corelight)
+
+  * convenience functions to check for aggregate types (Vern Paxson, Corelight)
+
+  * fix header includes to have proper zeek/ prefixes (Vern Paxson, Corelight)
+
 4.1.0-dev.288 | 2021-03-08 12:29:14 -0800

  * GH-1426: Improve handling of Broker data store creation failures (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-4.1.0-dev.288
+4.1.0-dev.314
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -468,7 +468,7 @@ NameExpr::NameExpr(IDPtr arg_id, bool const_init)
 	}

 // This isn't in-lined to avoid needing to pull in ID.h.
-IDPtr NameExpr::IdPtr()
+const IDPtr& NameExpr::IdPtr() const
 	{
 	return id;
 	}
@ -3039,21 +3039,6 @@ void IndexExpr::ExprDescribe(ODesc* d) const
 		d->Add("]");
 	}

-TraversalCode IndexExpr::Traverse(TraversalCallback* cb) const
-	{
-	TraversalCode tc = cb->PreExpr(this);
-	HANDLE_TC_EXPR_PRE(tc);
-
-	tc = op1->Traverse(cb);
-	HANDLE_TC_EXPR_PRE(tc);
-
-	tc = op2->Traverse(cb);
-	HANDLE_TC_EXPR_PRE(tc);
-
-	tc = cb->PostExpr(this);
-	HANDLE_TC_EXPR_POST(tc);
-	}
-
 FieldExpr::FieldExpr(ExprPtr arg_op, const char* arg_field_name)
 	: UnaryExpr(EXPR_FIELD, std::move(arg_op)),
 	  field_name(util::copy_string(arg_field_name)), td(nullptr), field(0)
--- a/src/Expr.h
+++ b/src/Expr.h
@ -82,6 +82,7 @@ enum BroExprTag : int {
 extern const char* expr_name(BroExprTag t);

 class AddToExpr;
+class AnyIndexExpr;
 class AssignExpr;
 class CallExpr;
 class ConstExpr;
@ -93,6 +94,7 @@ class ForExpr;
 class HasFieldExpr;
 class IndexAssignExpr;
 class IndexExpr;
+class IsExpr;
 class InlineExpr;
 class ListExpr;
 class NameExpr;
@ -200,6 +202,7 @@ public:
 	IntrusivePtr<ctype> As ## ctype ## Ptr ();

 	ZEEK_EXPR_ACCESSOR_DECLS(AddToExpr)
+	ZEEK_EXPR_ACCESSOR_DECLS(AnyIndexExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(AssignExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(CallExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(ConstExpr)
@ -211,6 +214,7 @@ public:
 	ZEEK_EXPR_ACCESSOR_DECLS(HasFieldExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(IndexAssignExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(IndexExpr)
+	ZEEK_EXPR_ACCESSOR_DECLS(IsExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(InlineExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(ListExpr)
 	ZEEK_EXPR_ACCESSOR_DECLS(NameExpr)
@ -405,7 +409,7 @@ public:
 	explicit NameExpr(IDPtr id, bool const_init = false);

 	ID* Id() const		{ return id.get(); }
-	IDPtr IdPtr();
+	const IDPtr& IdPtr() const;

 	ValPtr Eval(Frame* f) const override;
 	void Assign(Frame* f, ValPtr v) override;
@ -748,7 +752,7 @@ public:

 	// Optimization-related:
 	ExprPtr Duplicate() override;
-	bool WillTransform(Reducer* c) const override	{ return true; }
+	bool WillTransform(Reducer* c) const override;
 	bool WillTransformInConditional(Reducer* c) const override;
 	ExprPtr Reduce(Reducer* c, StmtPtr& red_stmt) override;

@ -919,8 +923,6 @@ public:
 	// not necessarily return a vector.
 	ValPtr Eval(Frame* f) const override;

-	TraversalCode Traverse(TraversalCallback* cb) const override;
-
 	bool IsSlice() const { return is_slice; }

 	// Optimization-related:
@ -1009,6 +1011,7 @@ public:
 	~HasFieldExpr() override;

 	const char* FieldName() const	{ return field_name; }
+	int Field() const		{ return field; }

 	// Optimization-related:
 	ExprPtr Duplicate() override;
@ -1424,6 +1427,8 @@ class IsExpr final : public UnaryExpr {
 public:
 	IsExpr(ExprPtr op, TypePtr t);

+	TypePtr TestType() const	{ return t; }
+
 	// Optimization-related:
 	ExprPtr Duplicate() override;

--- a/src/Options.cc
+++ b/src/Options.cc
@ -151,6 +151,7 @@ static void set_analysis_option(const char* opt, Options& opts)
 		{
 		opts.analysis_options.inliner = true;
 		opts.analysis_options.activate = true;
+		opts.analysis_options.optimize_AST = true;
 		return;
 		}

@ -161,6 +162,7 @@ static void set_analysis_option(const char* opt, Options& opts)
 		fprintf(stderr, "    dump-xform	dump transformed scripts to stdout; implies xform\n");
 		fprintf(stderr, "    help	print this list\n");
 		fprintf(stderr, "    inline	inline function calls\n");
+		fprintf(stderr, "    optimize-AST	optimize the (transformed) AST; implies xform\n");
 		fprintf(stderr, "    recursive	report on recursive functions and exit\n");
 		fprintf(stderr, "    xform	tranform scripts to \"reduced\" form\n");
 		exit(0);
@ -178,6 +180,8 @@ static void set_analysis_option(const char* opt, Options& opts)
 		a_o.inliner = a_o.report_recursive = true;
 	else if ( util::streq(opt, "xform") )
 		a_o.activate = true;
+	else if ( util::streq(opt, "optimize-AST") )
+		a_o.activate = a_o.optimize_AST = true;

 	else
 		{
--- a/src/Type.cc
+++ b/src/Type.cc
@ -648,7 +648,7 @@ int FuncType::MatchesIndex(detail::ListExpr* const index) const
 			MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
 	}

-bool FuncType::CheckArgs(const TypePList* args, bool is_init) const
+bool FuncType::CheckArgs(const TypePList* args, bool is_init, bool do_warn) const
 	{
 	std::vector<TypePtr> as;
 	as.reserve(args->length());
@ -656,18 +656,19 @@ bool FuncType::CheckArgs(const TypePList* args, bool is_init) const
 	for ( auto a : *args )
 		as.emplace_back(NewRef{}, a);

-	return CheckArgs(as, is_init);
+	return CheckArgs(as, is_init, do_warn);
 	}

 bool FuncType::CheckArgs(const std::vector<TypePtr>& args,
-                         bool is_init) const
+                         bool is_init, bool do_warn) const
 	{
 	const auto& my_args = arg_types->GetTypes();

 	if ( my_args.size() != args.size() )
 		{
-		Warn(util::fmt("Wrong number of arguments for function. Expected %zu, got %zu.",
-		               args.size(), my_args.size()));
+		if ( do_warn )
+			Warn(util::fmt("Wrong number of arguments for function. Expected %zu, got %zu.",
+				       args.size(), my_args.size()));
 		return false;
 		}

@ -676,8 +677,9 @@ bool FuncType::CheckArgs(const std::vector<TypePtr>& args,
 	for ( size_t i = 0; i < my_args.size(); ++i )
 		if ( ! same_type(args[i], my_args[i], is_init) )
 			{
-			Warn(util::fmt("Type mismatch in function argument #%zu. Expected %s, got %s.",
-			               i, type_name(args[i]->Tag()), type_name(my_args[i]->Tag())));
+			if ( do_warn )
+				Warn(util::fmt("Type mismatch in function argument #%zu. Expected %s, got %s.",
+					       i, type_name(args[i]->Tag()), type_name(my_args[i]->Tag())));
 			success = false;
 			}

@ -1647,7 +1649,7 @@ bool same_type(const Type& arg_t1, const Type& arg_t2,
 				return false;
 			}

-		return ft1->CheckArgs(ft2->ParamList()->GetTypes(), is_init);
+		return ft1->CheckArgs(ft2->ParamList()->GetTypes(), is_init, false);
 		}

 	case TYPE_RECORD:
--- a/src/Type.h
+++ b/src/Type.h
@ -447,9 +447,10 @@ public:
 		{ yield = nullptr; flavor = arg_flav; }

 	int MatchesIndex(detail::ListExpr* index) const override;
-	bool CheckArgs(const TypePList* args, bool is_init = false) const;
+	bool CheckArgs(const TypePList* args, bool is_init = false,
+			bool do_warn = true) const;
 	bool CheckArgs(const std::vector<TypePtr>& args,
-	               bool is_init = false) const;
+	               bool is_init = false, bool do_warn = true) const;

 	const TypeListPtr& ParamList() const
 		{ return arg_types; }
@ -840,6 +841,14 @@ inline bool IsAggr(TypeTag tag)
 	{
 	return tag == TYPE_VECTOR || tag == TYPE_TABLE || tag == TYPE_RECORD;
 	}
+inline bool IsAggr(const Type* t)
+	{
+	return IsAggr(t->Tag());
+	}
+inline bool IsAggr(const TypePtr& t)
+	{
+	return IsAggr(t->Tag());
+	}

 // True if the given type tag corresponds to the error type.
 inline bool IsErrorType(TypeTag t)	{ return (t == TYPE_ERROR); }
--- a/src/script_opt/Expr.cc
+++ b/src/script_opt/Expr.cc
@ -67,12 +67,24 @@ const AddToExpr* Expr::AsAddToExpr() const
 	return (const AddToExpr*) this;
 	}

+const IsExpr* Expr::AsIsExpr() const
+	{
+	CHECK_TAG(tag, EXPR_IS, "ExprVal::AsIsExpr", expr_name)
+	return (const IsExpr*) this;
+	}
+
 const InlineExpr* Expr::AsInlineExpr() const
 	{
 	CHECK_TAG(tag, EXPR_INLINE, "ExprVal::AsInlineExpr", expr_name)
 	return (const InlineExpr*) this;
 	}

+const AnyIndexExpr* Expr::AsAnyIndexExpr() const
+	{
+	CHECK_TAG(tag, EXPR_ANY_INDEX, "ExprVal::AsAnyIndexExpr", expr_name)
+	return (const AnyIndexExpr*) this;
+	}
+
 ExprPtr Expr::GetOp1() const { return nullptr; }
 ExprPtr Expr::GetOp2() const { return nullptr; }
 ExprPtr Expr::GetOp3() const { return nullptr; }
@ -989,7 +1001,7 @@ ExprPtr ModExpr::Duplicate()
 // nullptr, and the caller should have ensured that the starting point is
 // a disjunction (since a bare "/pat/ in var" by itself isn't a "cascade"
 // and doesn't present a potential optimization opportunity.
-static bool is_pattern_cascade(ExprPtr e, IDPtr& id,
+static bool is_pattern_cascade(const ExprPtr& e, IDPtr& id,
 				std::vector<ConstExprPtr>& patterns)
 	{
 	auto lhs = e->GetOp1();
@ -1002,7 +1014,7 @@ static bool is_pattern_cascade(ExprPtr e, IDPtr& id,
 		     rhs->Tag() != EXPR_NAME )
 			return false;

-		auto rhs_id = rhs->AsNameExpr()->IdPtr();
+		const auto& rhs_id = rhs->AsNameExpr()->IdPtr();

 		if ( id && rhs_id != id )
 			return false;
@ -1042,9 +1054,14 @@ ExprPtr BoolExpr::Duplicate()
 	return SetSucc(new BoolExpr(tag, op1_d, op2_d));
 	}

+bool BoolExpr::WillTransform(Reducer* c) const
+	{
+	return ! IsVector(op1->GetType()->Tag());
+	}
+
 bool BoolExpr::WillTransformInConditional(Reducer* c) const
 	{
-	IDPtr common_id = nullptr;
+	IDPtr common_id;
 	std::vector<ConstExprPtr> patterns;

 	ExprPtr e_ptr = {NewRef{}, (Expr*) this};
@ -1107,6 +1124,14 @@ ExprPtr BoolExpr::Reduce(Reducer* c, StmtPtr& red_stmt)
 			}
 		}

+	if ( IsVector(op1->GetType()->Tag()) )
+		{
+		if ( c->Optimizing() )
+			return ThisPtr();
+		else
+			return AssignToTemporary(c, red_stmt);
+		}
+
 	auto else_val = is_and ? val_mgr->False() : val_mgr->True();
 	ExprPtr else_e = make_intrusive<ConstExpr>(else_val);

--- a/src/script_opt/Reduce.cc
+++ b/src/script_opt/Reduce.cc
@ -1,13 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.

-#include "ID.h"
-#include "Var.h"
-#include "Scope.h"
-#include "Expr.h"
-#include "Stmt.h"
-#include "Desc.h"
-#include "ProfileFunc.h"
-#include "Reporter.h"
+#include "zeek/ID.h"
+#include "zeek/Var.h"
+#include "zeek/Scope.h"
+#include "zeek/Expr.h"
+#include "zeek/Stmt.h"
+#include "zeek/Desc.h"
+#include "zeek/Reporter.h"
+#include "zeek/script_opt/ProfileFunc.h"
 #include "zeek/script_opt/Reduce.h"
 #include "zeek/script_opt/TempVar.h"

@ -15,17 +15,6 @@
 namespace zeek::detail {


-Reducer::Reducer(Scope* s)
-	{
-	scope = s;
-	}
-
-Reducer::~Reducer()
-	{
-	for ( int i = 0; i < temps.length(); ++i )
-		delete temps[i];
-	}
-
 ExprPtr Reducer::GenTemporaryExpr(const TypePtr& t, ExprPtr rhs)
 	{
 	auto e = make_intrusive<NameExpr>(GenTemporary(t, rhs));
@ -38,7 +27,7 @@ NameExprPtr Reducer::UpdateName(NameExprPtr n)
 	if ( NameIsReduced(n.get()) )
 		return n;

-	return make_intrusive<NameExpr>(FindNewLocal(n.get()));
+	return make_intrusive<NameExpr>(FindNewLocal(n));
 	}

 bool Reducer::NameIsReduced(const NameExpr* n) const
@ -80,7 +69,7 @@ bool Reducer::IDsAreReduced(const IDPList* ids) const

 bool Reducer::IDsAreReduced(const std::vector<IDPtr>& ids) const
 	{
-	for ( auto& id : ids )
+	for ( const auto& id : ids )
 		if ( ! ID_IsReduced(id) )
 			return false;

@ -92,7 +81,7 @@ IDPtr Reducer::UpdateID(IDPtr id)
 	if ( ID_IsReduced(id) )
 		return id;

-	return FindNewLocal(id.get());
+	return FindNewLocal(id);
 	}

 bool Reducer::ID_IsReduced(const ID* id) const
@ -101,9 +90,9 @@ bool Reducer::ID_IsReduced(const ID* id) const
 		IsNewLocal(id);
 	}

-NameExprPtr Reducer::GenInlineBlockName(IDPtr id)
+NameExprPtr Reducer::GenInlineBlockName(const IDPtr& id)
 	{
-	return make_intrusive<NameExpr>(GenLocal(id.get()));
+	return make_intrusive<NameExpr>(GenLocal(id));
 	}

 NameExprPtr Reducer::PushInlineBlock(TypePtr type)
@ -138,65 +127,566 @@ bool Reducer::SameVal(const Val* v1, const Val* v2) const
 		return v1 == v2;
 	}

-IDPtr Reducer::GenTemporary(const TypePtr& t, ExprPtr rhs)
+ExprPtr Reducer::NewVarUsage(IDPtr var, const DefPoints* dps, const Expr* orig)
 	{
-	if ( Optimizing() )
-		reporter->InternalError("Generating a new temporary while optimizing");
+	if ( ! dps )
+		reporter->InternalError("null defpoints in NewVarUsage");

-	auto temp = new TempVar(temps.length(), t, rhs);
-	IDPtr temp_id = install_ID(temp->Name(), "<internal>", false, false);
+	auto var_usage = make_intrusive<NameExpr>(var);
+	SetDefPoints(var_usage.get(), dps);
+	TrackExprReplacement(orig, var_usage.get());

-	temp->SetID(temp_id);
-	temp_id->SetType(t);
-
-	temps.append(temp);
-	ids_to_temps[temp_id.get()] = temp;
-
-	return temp_id;
+	return var_usage;
 	}

-IDPtr Reducer::FindNewLocal(ID* id)
+const DefPoints* Reducer::GetDefPoints(const NameExpr* var)
 	{
-	auto mapping = orig_to_new_locals.find(id);
+	auto dps = FindDefPoints(var);

-	if ( mapping != orig_to_new_locals.end() )
-		return mapping->second;
+	if ( ! dps )
+		{
+		auto id = var->Id();
+		auto di = mgr->GetConstID_DI(id);
+		auto rds = mgr->GetPreMaxRDs(GetRDLookupObj(var));

-	return GenLocal(id);
+		dps = rds->GetDefPoints(di);
+
+		SetDefPoints(var, dps);
+		}
+
+	return dps;
 	}

-IDPtr Reducer::GenLocal(ID* orig)
+const DefPoints* Reducer::FindDefPoints(const NameExpr* var) const
 	{
-	if ( Optimizing() )
-		reporter->InternalError("Generating a new local while optimizing");
-
-	char buf[8192];
-	int n = new_locals.size();
-	snprintf(buf, sizeof buf, "%s.%d", orig->Name(), n);
-
-	IDPtr local_id = install_ID(buf, "<internal>", false, false);
-	local_id->SetType(orig->GetType());
-	local_id->SetAttrs(orig->GetAttrs());
-
-	new_locals.insert(local_id.get());
-	orig_to_new_locals[orig] = local_id;
-
-	return local_id;
-	}
-
-bool Reducer::IsNewLocal(const ID* id) const
-	{
-	ID* non_const_ID = (ID*) id;	// I don't get why C++ requires this
-	return new_locals.count(non_const_ID) != 0;
-	}
-
-TempVar* Reducer::FindTemporary(const ID* id) const
-	{
-	auto tmp = ids_to_temps.find(id);
-	if ( tmp == ids_to_temps.end() )
+	auto dps = var_usage_to_DPs.find(var);
+	if ( dps == var_usage_to_DPs.end() )
 		return nullptr;
 	else
-		return tmp->second;
+		return dps->second;
+	}
+
+void Reducer::SetDefPoints(const NameExpr* var, const DefPoints* dps)
+	{
+	var_usage_to_DPs[var] = dps;
+	}
+
+bool Reducer::SameOp(const Expr* op1, const Expr* op2)
+	{
+	if ( op1 == op2 )
+		return true;
+
+	if ( op1->Tag() != op2->Tag() )
+		return false;
+
+	if ( op1->Tag() == EXPR_NAME )
+		{
+		// Needs to be both the same identifier and in contexts
+		// where the identifier has the same definition points.
+		auto op1_n = op1->AsNameExpr();
+		auto op2_n = op2->AsNameExpr();
+
+		auto op1_id = op1_n->Id();
+		auto op2_id = op2_n->Id();
+
+		if ( op1_id != op2_id )
+			return false;
+
+		auto op1_dps = GetDefPoints(op1_n);
+		auto op2_dps = GetDefPoints(op2_n);
+
+		return same_DPs(op1_dps, op2_dps);
+		}
+
+	else if ( op1->Tag() == EXPR_CONST )
+		{
+		auto op1_c = op1->AsConstExpr();
+		auto op2_c = op2->AsConstExpr();
+
+		auto op1_v = op1_c->Value();
+		auto op2_v = op2_c->Value();
+
+		return SameVal(op1_v, op2_v);
+		}
+
+	else if ( op1->Tag() == EXPR_LIST )
+		{
+		auto op1_l = op1->AsListExpr()->Exprs();
+		auto op2_l = op2->AsListExpr()->Exprs();
+
+		if ( op1_l.length() != op2_l.length() )
+			return false;
+
+		for ( auto i = 0; i < op1_l.length(); ++i )
+			if ( ! SameExpr(op1_l[i], op2_l[i]) )
+				return false;
+
+		return true;
+		}
+
+	reporter->InternalError("bad singleton tag");
+	return false;
+	}
+
+bool Reducer::SameExpr(const Expr* e1, const Expr* e2)
+	{
+	if ( e1 == e2 )
+		return true;
+
+	if ( e1->Tag() != e2->Tag() )
+		return false;
+
+	if ( ! same_type(e1->GetType(), e2->GetType()) )
+		return false;
+
+	switch ( e1->Tag() ) {
+	case EXPR_NAME:
+	case EXPR_CONST:
+		return SameOp(e1, e2);
+
+	case EXPR_CLONE:
+	case EXPR_RECORD_CONSTRUCTOR:
+	case EXPR_TABLE_CONSTRUCTOR:
+	case EXPR_SET_CONSTRUCTOR:
+	case EXPR_VECTOR_CONSTRUCTOR:
+	case EXPR_EVENT:
+	case EXPR_SCHEDULE:
+		// These always generate a new value.
+		return false;
+
+	case EXPR_INCR:
+	case EXPR_DECR:
+	case EXPR_AND_AND:
+	case EXPR_OR_OR:
+	case EXPR_ASSIGN:
+	case EXPR_FIELD_ASSIGN:
+	case EXPR_INDEX_SLICE_ASSIGN:
+		// All of these should have been translated into something
+		// else.
+		reporter->InternalError("Unexpected tag in Reducer::SameExpr");
+
+	case EXPR_ANY_INDEX:
+		{
+		auto a1 = e1->AsAnyIndexExpr();
+		auto a2 = e2->AsAnyIndexExpr();
+
+		if ( a1->Index() != a2->Index() )
+			return false;
+
+		return SameOp(a1->GetOp1(), a2->GetOp1());
+		}
+
+	case EXPR_FIELD:
+		{
+		auto f1 = e1->AsFieldExpr();
+		auto f2 = e2->AsFieldExpr();
+
+		if ( f1->Field() != f2->Field() )
+			return false;
+
+		return SameOp(f1->GetOp1(), f2->GetOp1());
+		}
+
+	case EXPR_HAS_FIELD:
+		{
+		auto f1 = e1->AsHasFieldExpr();
+		auto f2 = e2->AsHasFieldExpr();
+
+		if ( f1->Field() != f2->Field() )
+			return false;
+
+		return SameOp(f1->GetOp1(), f2->GetOp1());
+		}
+
+	case EXPR_LIST:
+		{
+		auto l1 = e1->AsListExpr()->Exprs();
+		auto l2 = e2->AsListExpr()->Exprs();
+
+		ASSERT(l1.length() == l2.length());
+
+		for ( int i = 0; i < l1.length(); ++i )
+			if ( ! SameExpr(l1[i], l2[i]) )
+				return false;
+
+		return true;
+		}
+
+	case EXPR_CALL:
+		{
+		auto c1 = e1->AsCallExpr();
+		auto c2 = e2->AsCallExpr();
+		auto f1 = c1->Func();
+		auto f2 = c2->Func();
+
+		if ( f1 != f2 )
+			return false;
+
+		if ( ! f1->IsPure() )
+			return false;
+
+		return SameExpr(c1->Args(), c2->Args());
+		}
+
+	case EXPR_LAMBDA:
+		return false;
+
+	case EXPR_IS:
+		{
+		if ( ! SameOp(e1->GetOp1(), e2->GetOp1()) )
+			return false;
+
+		auto i1 = e1->AsIsExpr();
+		auto i2 = e2->AsIsExpr();
+
+		return same_type(i1->TestType(), i2->TestType());
+		}
+
+	default:
+		if ( ! e1->GetOp1() )
+			reporter->InternalError("Bad default in Reducer::SameExpr");
+
+		if ( ! SameOp(e1->GetOp1(), e2->GetOp1()) )
+			return false;
+
+		if ( e1->GetOp2() && ! SameOp(e1->GetOp2(), e2->GetOp2()) )
+			return false;
+
+		if ( e1->GetOp3() && ! SameOp(e1->GetOp3(), e2->GetOp3()) )
+			return false;
+
+		return true;
+	}
+	}
+
+IDPtr Reducer::FindExprTmp(const Expr* rhs, const Expr* a,
+				const std::shared_ptr<const TempVar>& lhs_tmp)
+	{
+	for ( const auto& et_i : expr_temps )
+		{
+		if ( et_i->Alias() || ! et_i->IsActive() || et_i == lhs_tmp )
+			// This can happen due to re-reduction while
+			// optimizing.
+			continue;
+
+		auto et_i_expr = et_i->RHS();
+
+		if ( SameExpr(rhs, et_i_expr) )
+			{
+			// We have an apt candidate.  Make sure its value
+			// always makes it here.
+			auto id = et_i->Id().get();
+
+			// We use 'a' in the following rather than rhs
+			// because the RHS can get rewritten (for example,
+			// due to folding) after we generate RDs, and
+			// thus might not have any.
+			if ( ! mgr->HasSinglePreMinRD(a, id) )
+				// The temporary's value isn't guaranteed
+				// to make it here.
+				continue;
+
+			// Make sure there aren't ambiguities due to
+			// possible modifications to aggregates.
+			if ( ! ExprValid(id, et_i_expr, a) )
+				continue;
+
+			return et_i->Id();
+			}
+		}
+
+	return nullptr;
+	}
+
+bool Reducer::ExprValid(const ID* id, const Expr* e1, const Expr* e2) const
+	{
+	// Here are the considerations for expression validity.
+	//
+	// * None of the operands used in the given expression can
+	//   have been assigned.
+	//
+	// * If the expression yields an aggregate, or one of the
+	//   operands in the expression is an aggregate, then there
+	//   must not be any assignments to aggregates of the same
+	//   type(s).  This is to deal with possible aliases.
+	//
+	// * Same goes to modifications of aggregates via "add" or "delete".
+	//
+	// * No propagation of expressions that are based on aggregates
+	//   across function calls.
+	//
+	// * No propagation of expressions that are based on globals
+	//   across calls.
+
+	// Tracks which ID's are germane for our analysis.
+	std::vector<const ID*> ids;
+
+	ids.push_back(id);
+
+	// Identify variables involved in the expression.
+	CheckIDs(e1->GetOp1().get(), ids);
+	CheckIDs(e1->GetOp2().get(), ids);
+	CheckIDs(e1->GetOp3().get(), ids);
+
+	if ( e1->Tag() == EXPR_NAME )
+		ids.push_back(e1->AsNameExpr()->Id());
+
+	CSE_ValidityChecker vc(ids, e1, e2);
+	reduction_root->Traverse(&vc);
+
+	return vc.IsValid();
+	}
+
+void Reducer::CheckIDs(const Expr* e, std::vector<const ID*>& ids) const
+	{
+	if ( ! e )
+		return;
+
+	if ( e->Tag() == EXPR_LIST )
+		{
+		const auto& e_l = e->AsListExpr()->Exprs();
+		for ( auto i = 0; i < e_l.length(); ++i )
+			CheckIDs(e_l[i], ids);
+		}
+
+	else if ( e->Tag() == EXPR_NAME )
+		ids.push_back(e->AsNameExpr()->Id());
+	}
+
+bool Reducer::IsCSE(const AssignExpr* a, const NameExpr* lhs, const Expr* rhs)
+	{
+	auto a_max_rds = mgr->GetPostMaxRDs(GetRDLookupObj(a));
+
+	auto lhs_id = lhs->Id();
+	auto lhs_tmp = FindTemporary(lhs_id);	// nil if LHS not a temporary
+	auto rhs_tmp = FindExprTmp(rhs, a, lhs_tmp);
+
+	ExprPtr new_rhs;
+	if ( rhs_tmp )
+		{ // We already have a temporary
+		auto tmp_di = mgr->GetConstID_DI(rhs_tmp.get());
+		auto dps = a_max_rds->GetDefPoints(tmp_di);
+		new_rhs = NewVarUsage(rhs_tmp, dps, rhs);
+		rhs = new_rhs.get();
+		}
+
+	if ( lhs_tmp )
+		{
+		if ( rhs->Tag() == EXPR_CONST )
+			{ // mark temporary as just being a constant
+			lhs_tmp->SetConst(rhs->AsConstExpr());
+			return true;
+			}
+
+		if ( rhs->Tag() == EXPR_NAME )
+			{
+			auto rhs_id = rhs->AsNameExpr()->IdPtr();
+			auto rhs_tmp_var = FindTemporary(rhs_id.get());
+
+			if ( rhs_tmp_var && rhs_tmp_var->Const() )
+				{ // temporary can be replaced with constant
+				lhs_tmp->SetConst(rhs_tmp_var->Const());
+				return true;
+				}
+
+			// Treat the LHS as either an alias for the RHS,
+			// or as a constant if the RHS is a constant in
+			// this context.
+			auto rhs_di = mgr->GetConstID_DI(rhs_id.get());
+			auto dps = a_max_rds->GetDefPoints(rhs_di);
+
+			auto rhs_const = CheckForConst(rhs_id, dps);
+			if ( rhs_const )
+				lhs_tmp->SetConst(rhs_const);
+			else
+				lhs_tmp->SetAlias(rhs_id, dps);
+
+			return true;
+			}
+
+		// Track where we define the temporary.
+		auto lhs_di = mgr->GetConstID_DI(lhs_id);
+		auto dps = a_max_rds->GetDefPoints(lhs_di);
+		if ( lhs_tmp->DPs() && ! same_DPs(lhs_tmp->DPs(), dps) )
+			reporter->InternalError("double DPs for temporary");
+
+		lhs_tmp->SetDPs(dps);
+		SetDefPoints(lhs, dps);
+
+		expr_temps.emplace_back(lhs_tmp);
+		}
+
+	return false;
+	}
+
+const ConstExpr* Reducer::CheckForConst(const IDPtr& id,
+					const DefPoints* dps) const
+	{
+	if ( ! dps || dps->length() == 0 )
+		// This can happen for access to uninitialized values.
+		return nullptr;
+
+	if ( dps->length() != 1 )
+		// Multiple definitions of the variable reach to this
+		// location.  In theory we could check whether they *all*
+		// provide the same constant, but that hardly seems likely.
+		return nullptr;
+
+	// Identifier has a unique definition.
+	auto dp = (*dps)[0];
+	const Expr* e = nullptr;
+
+	if ( dp.Tag() == STMT_DEF )
+		{
+		auto s = dp.StmtVal();
+
+		if ( s->Tag() == STMT_CATCH_RETURN )
+			{
+			// Change 's' to refer to the associated assignment
+			// statement, if any.
+			auto cr = s->AsCatchReturnStmt();
+			s = cr->AssignStmt().get();
+
+			if ( ! s )
+				return nullptr;
+			}
+
+		if ( s->Tag() != STMT_EXPR )
+			// Defined in a statement other than an assignment.
+			return nullptr;
+
+		e = s->AsExprStmt()->StmtExpr();
+		}
+
+	else if ( dp.Tag() == EXPR_DEF )
+		e = dp.ExprVal();
+
+	else
+		return nullptr;
+
+	if ( e->Tag() != EXPR_ASSIGN )
+		// Not sure why this would happen, other than EXPR_APPEND_TO,
+		// but in any case not an expression we can mine for a
+		// constant.
+		return nullptr;
+
+	auto rhs = e->GetOp2();
+
+	if ( rhs->Tag() != EXPR_CONST )
+		return nullptr;
+
+	return rhs->AsConstExpr();
+	}
+
+void Reducer::TrackExprReplacement(const Expr* orig, const Expr* e)
+	{
+	new_expr_to_orig[e] = orig;
+	}
+
+const Obj* Reducer::GetRDLookupObj(const Expr* e) const
+	{
+	auto orig_e = new_expr_to_orig.find(e);
+	if ( orig_e == new_expr_to_orig.end() )
+		return e;
+	else
+		return orig_e->second;
+	}
+
+ExprPtr Reducer::OptExpr(Expr* e)
+	{
+	StmtPtr opt_stmts;
+	auto opt_e = e->Reduce(this, opt_stmts);
+
+	if ( opt_stmts )
+		reporter->InternalError("Generating new statements while optimizing");
+
+	if ( opt_e->Tag() == EXPR_NAME )
+		return UpdateExpr(opt_e);
+
+	return opt_e;
+	}
+
+ExprPtr Reducer::UpdateExpr(ExprPtr e)
+	{
+	if ( e->Tag() != EXPR_NAME )
+		return OptExpr(e);
+
+	auto n = e->AsNameExpr();
+	auto id = n->Id();
+
+	if ( id->IsGlobal() )
+		return e;
+
+	auto tmp_var = FindTemporary(id);
+	if ( ! tmp_var )
+		{
+		auto max_rds = mgr->GetPreMaxRDs(GetRDLookupObj(n));
+
+		IDPtr id_ptr = {NewRef{}, id};
+		auto di = mgr->GetConstID_DI(id);
+		auto dps = max_rds->GetDefPoints(di);
+
+		auto is_const = CheckForConst(id_ptr, dps);
+		if ( is_const )
+			{
+			// Remember this variable as one whose value
+			// we used for constant propagation.  That
+			// ensures we can subsequently not complain
+			// about it being assigned but not used (though
+			// we can still omit the assignment).
+			constant_vars.insert(id);
+			return make_intrusive<ConstExpr>(is_const->ValuePtr());
+			}
+
+		return e;
+		}
+
+	if ( tmp_var->Const() )
+		return make_intrusive<ConstExpr>(tmp_var->Const()->ValuePtr());
+
+	auto alias = tmp_var->Alias();
+	if ( alias )
+		{
+		// Make sure that the definition points for the
+		// alias here are the same as when the alias
+		// was created.
+		auto alias_tmp = FindTemporary(alias.get());
+
+		if ( alias_tmp )
+			{
+			while ( alias_tmp->Alias() )
+				{
+				// Alias chains can occur due to
+				// re-reduction while optimizing.
+				auto a_id = alias_tmp->Id();
+				if ( a_id == id )
+					return e;
+
+				alias_tmp = FindTemporary(alias_tmp->Id().get());
+				}
+
+			// Temporaries always have only one definition point,
+			// so no need to check for consistency.
+			auto new_usage = NewVarUsage(alias, alias_tmp->DPs(), e.get());
+			return new_usage;
+			}
+
+		auto e_max_rds = mgr->GetPreMaxRDs(GetRDLookupObj(e.get()));
+		auto alias_di = mgr->GetConstID_DI(alias.get());
+		auto alias_dps = e_max_rds->GetDefPoints(alias_di);
+
+		if ( same_DPs(alias_dps, tmp_var->DPs()) )
+			return NewVarUsage(alias, alias_dps, e.get());
+		else
+			return e;
+		}
+
+	auto rhs = tmp_var->RHS();
+	if ( rhs->Tag() != EXPR_CONST )
+		return e;
+
+	auto c = rhs->AsConstExpr();
+	return make_intrusive<ConstExpr>(c->ValuePtr());
 	}

 StmtPtr Reducer::MergeStmts(const NameExpr* lhs, ExprPtr rhs, Stmt* succ_stmt)
@ -258,9 +748,291 @@ StmtPtr Reducer::MergeStmts(const NameExpr* lhs, ExprPtr rhs, Stmt* succ_stmt)
 	return make_intrusive<ExprStmt>(merge_e);
 	}

-void Reducer::TrackExprReplacement(const Expr* orig, const Expr* e)
+IDPtr Reducer::GenTemporary(const TypePtr& t, ExprPtr rhs)
 	{
-	new_expr_to_orig[e] = orig;
+	if ( Optimizing() )
+		reporter->InternalError("Generating a new temporary while optimizing");
+
+	if ( omitted_stmts.size() > 0 )
+		reporter->InternalError("Generating a new temporary while pruning statements");
+
+	auto temp = std::make_shared<TempVar>(temps.size(), t, rhs);
+	IDPtr temp_id = install_ID(temp->Name(), "<internal>", false, false);
+
+	temp->SetID(temp_id);
+	temp_id->SetType(t);
+
+	temps.push_back(temp);
+	ids_to_temps[temp_id.get()] = temp;
+
+	return temp_id;
+	}
+
+IDPtr Reducer::FindNewLocal(const IDPtr& id)
+	{
+	auto mapping = orig_to_new_locals.find(id.get());
+
+	if ( mapping != orig_to_new_locals.end() )
+		return mapping->second;
+
+	return GenLocal(id);
+	}
+
+IDPtr Reducer::GenLocal(const IDPtr& orig)
+	{
+	if ( Optimizing() )
+		reporter->InternalError("Generating a new local while optimizing");
+
+	if ( omitted_stmts.size() > 0 )
+		reporter->InternalError("Generating a new local while pruning statements");
+
+	char buf[8192];
+	int n = new_locals.size();
+	snprintf(buf, sizeof buf, "%s.%d", orig->Name(), n);
+
+	IDPtr local_id = install_ID(buf, "<internal>", false, false);
+	local_id->SetType(orig->GetType());
+	local_id->SetAttrs(orig->GetAttrs());
+
+	new_locals.insert(local_id.get());
+	orig_to_new_locals[orig.get()] = local_id;
+
+	return local_id;
+	}
+
+bool Reducer::IsNewLocal(const ID* id) const
+	{
+	ID* non_const_ID = (ID*) id;	// I don't get why C++ requires this
+	return new_locals.count(non_const_ID) != 0;
+	}
+
+std::shared_ptr<TempVar> Reducer::FindTemporary(const ID* id) const
+	{
+	auto tmp = ids_to_temps.find(id);
+	if ( tmp == ids_to_temps.end() )
+		return nullptr;
+	else
+		return tmp->second;
+	}
+
+
+CSE_ValidityChecker::CSE_ValidityChecker(const std::vector<const ID*>& _ids,
+				const Expr* _start_e, const Expr* _end_e)
+: ids(_ids)
+	{
+	start_e = _start_e;
+	end_e = _end_e;
+
+	// Track whether this is a record assignment, in which case
+	// we're attuned to assignments to the same field for the
+	// same type of record.
+	if ( start_e->Tag() == EXPR_FIELD )
+		{
+		field = start_e->AsFieldExpr()->Field();
+
+		// Track the type of the record, too, so we don't confuse
+		// field references to different records that happen to
+		// have the same offset as potential aliases.
+		field_type = start_e->GetOp1()->GetType();
+		}
+
+	else
+		field = -1;	// flags that there's no relevant field
+	}
+
+TraversalCode CSE_ValidityChecker::PreStmt(const Stmt* s)
+	{
+	if ( s->Tag() == STMT_ADD || s->Tag() == STMT_DELETE )
+		in_aggr_mod_stmt = true;
+
+	return TC_CONTINUE;
+	}
+
+TraversalCode CSE_ValidityChecker::PostStmt(const Stmt* s)
+	{
+	if ( s->Tag() == STMT_ADD || s->Tag() == STMT_DELETE )
+		in_aggr_mod_stmt = false;
+
+	return TC_CONTINUE;
+	}
+
+TraversalCode CSE_ValidityChecker::PreExpr(const Expr* e)
+	{
+	if ( e == start_e )
+		{
+		ASSERT(! have_start_e);
+		have_start_e = true;
+
+		// Don't analyze the expression, as it's our starting
+		// point and we don't want to conflate its properties
+		// with those of any intervening expression.
+		return TC_CONTINUE;
+		}
+
+	if ( e == end_e )
+		{
+		if ( ! have_start_e )
+			reporter->InternalError("CSE_ValidityChecker: saw end but not start");
+
+		ASSERT(! have_end_e);
+		have_end_e = true;
+
+		// ... and we're now done.
+		return TC_ABORTALL;
+		}
+
+	if ( ! have_start_e )
+		// We don't yet have a starting point.
+		return TC_CONTINUE;
+
+	// We have a starting point, and not yet an ending point.
+	auto t = e->Tag();
+
+	switch ( t ) {
+	case EXPR_ASSIGN:
+		{
+		auto lhs_ref = e->GetOp1()->AsRefExprPtr();
+		auto lhs = lhs_ref->GetOp1()->AsNameExpr();
+
+		if ( CheckID(ids, lhs->Id(), false) )
+			{
+			is_valid = false;
+			return TC_ABORTALL;
+			}
+
+		// Note, we don't use CheckAggrMod() because this
+		// is a plain assignment.  It might be changing a variable's
+		// binding to an aggregate, but it's not changing the
+		// aggregate itself.
+		}
+		break;
+
+	case EXPR_INDEX_ASSIGN:
+		{
+		auto lhs_aggr = e->GetOp1();
+		auto lhs_aggr_id = lhs_aggr->AsNameExpr()->Id();
+
+		if ( CheckID(ids, lhs_aggr_id, true) || CheckAggrMod(ids, e) )
+			{
+			is_valid = false;
+			return TC_ABORTALL;
+			}
+		}
+		break;
+
+	case EXPR_FIELD_LHS_ASSIGN:
+		{
+		auto lhs = e->GetOp1();
+		auto lhs_aggr_id = lhs->AsNameExpr()->Id();
+		auto lhs_field = e->AsFieldLHSAssignExpr()->Field();
+
+		if ( lhs_field == field &&
+		     same_type(lhs_aggr_id->GetType(), field_type) )
+			{
+			// Potential assignment to the same field as for
+			// our expression of interest.  Even if the
+			// identifier involved is not one we have our eye
+			// on, due to aggregate aliasing this could be
+			// altering the value of our expression, so bail.
+			is_valid = false;
+			return TC_ABORTALL;
+			}
+
+		if ( CheckID(ids, lhs_aggr_id, true) || CheckAggrMod(ids, e) )
+			{
+			is_valid = false;
+			return TC_ABORTALL;
+			}
+		}
+		break;
+
+	case EXPR_CALL:
+		{
+		for ( auto i : ids )
+			if ( i->IsGlobal() || IsAggr(i->GetType()) )
+				{
+				is_valid = false;
+				return TC_ABORTALL;
+				}
+		}
+		break;
+
+	default:
+		if ( in_aggr_mod_stmt && (t == EXPR_INDEX || t == EXPR_FIELD) )
+			{
+			auto aggr = e->GetOp1();
+			auto aggr_id = aggr->AsNameExpr()->Id();
+
+			if ( CheckID(ids, aggr_id, true) )
+				{
+				is_valid = false;
+				return TC_ABORTALL;
+				}
+			}
+
+		break;
+	}
+
+	return TC_CONTINUE;
+	}
+
+bool CSE_ValidityChecker::CheckID(const std::vector<const ID*>& ids,
+					const ID* id, bool ignore_orig) const
+	{
+	// Only check type info for aggregates.
+	auto id_t = IsAggr(id->GetType()) ? id->GetType() : nullptr;
+
+	for ( auto i : ids )
+		{
+		if ( ignore_orig && i == ids.front() )
+			continue;
+
+		if ( id == i )
+			return true;	// reassignment
+
+		if ( id_t && same_type(id_t, i->GetType()) )
+			// Same-type aggregate.
+			return true;
+		}
+
+	return false;
+	}
+
+bool CSE_ValidityChecker::CheckAggrMod(const std::vector<const ID*>& ids,
+					const Expr* e) const
+	{
+	const auto& e_i_t = e->GetType();
+	if ( IsAggr(e_i_t) )
+		{
+		// This assignment sets an aggregate value.
+		// Look for type matches.
+		for ( auto i : ids )
+			if ( same_type(e_i_t, i->GetType()) )
+				return true;
+		}
+
+	return false;
+	}
+
+
+bool same_DPs(const DefPoints* dp1, const DefPoints* dp2)
+	{
+	if ( dp1 == dp2 )
+		return true;
+
+	if ( ! dp1 || ! dp2 )
+		return false;
+
+	// Given how we construct DPs, they should be element-by-element
+	// equivalent; we don't have to worry about reordering.
+	if ( dp1->length() != dp2->length() )
+		return false;
+
+	for ( auto i = 0; i < dp1->length(); ++i )
+		if ( ! (*dp1)[i].SameAs((*dp2)[i]) )
+			return false;
+
+	return true;
 	}


--- a/src/script_opt/Reduce.h
+++ b/src/script_opt/Reduce.h
@ -5,6 +5,7 @@
 #include "zeek/Scope.h"
 #include "zeek/Expr.h"
 #include "zeek/Stmt.h"
+#include "zeek/Traverse.h"
 #include "zeek/script_opt/DefSetsMgr.h"

 namespace zeek::detail {
@ -15,12 +16,12 @@ class ProfileFunc;

 class Reducer {
 public:
-	Reducer(Scope* s);
-	~Reducer();
+	Reducer()	{ }

 	StmtPtr Reduce(StmtPtr s)
 		{
-		return s->Reduce(this);
+		reduction_root = std::move(s);
+		return reduction_root->Reduce(this);
 		}

 	const DefSetsMgr* GetDefSetsMgr() const		{ return mgr; }
@ -44,7 +45,7 @@ public:

 	// This is called *prior* to pushing a new inline block, in
 	// order to generate the equivalent of function parameters.
-	NameExprPtr GenInlineBlockName(IDPtr id);
+	NameExprPtr GenInlineBlockName(const IDPtr& id);

 	int NumNewLocals() const	{ return new_locals.size(); }

@ -63,7 +64,7 @@ public:
 	void PushBifurcation()		{ ++bifurcation_level; }
 	void PopBifurcation()		{ --bifurcation_level; }

-	int NumTemps() const		{ return temps.length(); }
+	int NumTemps() const		{ return temps.size(); }

 	// True if this name already reflects the replacement.
 	bool IsNewLocal(const NameExpr* n) const
@ -118,57 +119,112 @@ public:
 		replaced_stmts.clear();
 		}

-	// NOT YET IMPLEMENTED, SO CURRENTLY A STUB:
 	// Given the LHS and RHS of an assignment, returns true
 	// if the RHS is a common subexpression (meaning that the
 	// current assignment statement should be deleted).  In
 	// that case, has the side effect of associating an alias
-	// for the LHS with the temporary holding the equivalent RHS.
+	// for the LHS with the temporary variable that holds the
+	// equivalent RHS.
 	//
 	// Assumes reduction (including alias propagation) has
 	// already been applied.
-	bool IsCSE(const AssignExpr* a, const NameExpr* lhs, const Expr* rhs)
-		{ return false; }
+	bool IsCSE(const AssignExpr* a, const NameExpr* lhs, const Expr* rhs);

 	// Given an lhs=rhs statement followed by succ_stmt, returns
 	// a (new) merge of the two if they're of the form tmp=rhs, var=tmp;
 	// otherwise, nil.
 	StmtPtr MergeStmts(const NameExpr* lhs, ExprPtr rhs, Stmt* succ_stmt);

-	// The following two methods will, in the future, update expressions
-	// with optimized versions.  They are distinct because the first
-	// one (meant for calls in a Stmt reduction context) will also Reduce
-	// the expression, whereas the second one (meant for calls in an Expr
-	// context) does not, to avoid circularity.
-	//
-	// For now, they are stubs.
-	//
-	// These two are used for use in optimizing expressions that appear in
-	// a Stmt context.
-	ExprPtr OptExpr(Expr* e)	{ return {NewRef{}, e}; }
-	ExprPtr OptExpr(ExprPtr e)	{ return e; }
-	// This one for expressions appearing in an Expr context.
-	ExprPtr UpdateExpr(ExprPtr e)	{ return e; }
+	// Update expressions with optimized versions.  They are distinct
+	// because the first two (meant for calls in a Stmt reduction
+	// context) will also Reduce the expression, whereas the last
+	// one (meant for calls in an Expr context) does not, to avoid
+	// circularity.
+	ExprPtr OptExpr(Expr* e);
+	ExprPtr OptExpr(const ExprPtr& e)
+		{ return OptExpr(e.get()); }

-	const Scope* FuncScope() const	{ return scope; }
+	// This one for expressions appearing in an Expr context.
+	ExprPtr UpdateExpr(ExprPtr e);

 protected:
+	// True if two Val's refer to the same underlying value.  We gauge
+	// this conservatively (i.e., for complicated values we just return
+	// false, even if with a lot of work we could establish that they
+	// are in fact equivalent.)
 	bool SameVal(const Val* v1, const Val* v2) const;

+	// Track that the variable "var", which has the given set of
+	// definition points, will be a replacement for the "orig"
+	// expression.  Returns the replacement expression (which is
+	// is just a NameExpr referring to "var").
+	ExprPtr NewVarUsage(IDPtr var, const DefPoints* dps, const Expr* orig);
+
+	// Returns the definition points associated with "var".  If none
+	// exist in our cache, then populates the cache.
+	const DefPoints* GetDefPoints(const NameExpr* var);
+
+	// Retrieve the definition points associated in our cache with the
+	// given variable, if any.
+	const DefPoints* FindDefPoints(const NameExpr* var) const;
+
+	// Adds a mapping in our cache of the given variable to the given
+	// set of definition points.
+	void SetDefPoints(const NameExpr* var, const DefPoints* dps);
+
+	// Returns true if op1 and op2 represent the same operand, given
+	// the reaching definitions available at their usages (e1 and e2).
+	bool SameOp(const Expr* op1, const Expr* op2);
+	bool SameOp(const ExprPtr& op1, const ExprPtr& op2)
+		{ return SameOp(op1.get(), op2.get()); }
+
+	// True if e1 and e2 reflect identical expressions in the context
+	// of using a value computed for one of them in lieu of computing
+	// the other.  (Thus, for example, two record construction expressions
+	// are never equivalent even if they both specify exactly the same
+	// record elements, because each invocation of the expression produces
+	// a distinct value.)
+	bool SameExpr(const Expr* e1, const Expr* e2);
+
+	// Finds a temporary, if any, whose RHS matches the given "rhs", using
+	// the reaching defs associated with the assignment "a".  The context
+	// is that "rhs" is currently being assigned to temporary "lhs_tmp"
+	// (nil if the assignment isn't to a temporary), and we're wondering
+	// whether we can skip that assignment because we already have the
+	// exact same value available in a previously assigned temporary.
+	IDPtr FindExprTmp(const Expr* rhs, const Expr* a,
+				const std::shared_ptr<const TempVar>& lhs_tmp);
+
+	// Tests whether an expression computed at e1 (and assigned to "id")
+	// remains valid for substitution at e2.
+	bool ExprValid(const ID* id, const Expr* e1, const Expr* e2) const;
+
+	// Inspects the given expression for identifiers, adding any
+	// observed to the given vector.  Assumes reduced form, so only
+	// NameExpr's and ListExpr's are of interest - does not traverse
+	// into compound expressions.
+	void CheckIDs(const Expr* e, std::vector<const ID*>& ids) const;
+
 	IDPtr GenTemporary(const TypePtr& t, ExprPtr rhs);
-	TempVar* FindTemporary(const ID* id) const;
+	std::shared_ptr<TempVar> FindTemporary(const ID* id) const;

 	// Retrieve the identifier corresponding to the new local for
 	// the given expression.  Creates the local if necessary.
-	IDPtr FindNewLocal(ID* id);
-	IDPtr FindNewLocal(const NameExpr* n)
-		{ return FindNewLocal(n->Id()); }
+	IDPtr FindNewLocal(const IDPtr& id);
+	IDPtr FindNewLocal(const NameExprPtr& n)
+		{ return FindNewLocal(n->IdPtr()); }

 	// Generate a new local to use in lieu of the original (seen
 	// in an inlined block).  The difference is that the new
 	// version has a distinct name and has a correct frame offset
 	// for the current function.
-	IDPtr GenLocal(ID* orig);
+	IDPtr GenLocal(const IDPtr& orig);
+
+	// This is the heart of constant propagation.  Given an identifier
+	// and a set of definition points for it, if its value is constant
+	// then returns the corresponding ConstExpr with the value.
+	const ConstExpr* CheckForConst(const IDPtr& id,
+					const DefPoints* dps) const;

 	// Track that we're replacing instances of "orig" with a new
 	// expression.  This allows us to locate the RDs associated
@ -176,21 +232,36 @@ protected:
 	// requiring an additional RD propagation pass.
 	void TrackExprReplacement(const Expr* orig, const Expr* e);

-	Scope* scope;
-	PList<TempVar> temps;
+	// Returns the object we should use to look up RD's associated
+	// with 'e'.  (This isn't necessarily 'e' itself because we
+	// may have decided to replace it with a different expression,
+	// per TrackExprReplacement().)
+	const Obj* GetRDLookupObj(const Expr* e) const;
+
+	// Tracks the temporary variables created during the reduction/
+	// optimization process.
+	std::vector<std::shared_ptr<TempVar>> temps;

 	// Temps for which we've processed their associated expression
 	// (and they didn't wind up being aliases).
-	PList<TempVar> expr_temps;
+	std::vector<std::shared_ptr<const TempVar>> expr_temps;

-	// Let's us go from an identifier to an associated temporary
+	// Lets us go from an identifier to an associated temporary
 	// variable, if it corresponds to one.
-	std::unordered_map<const ID*, TempVar*> ids_to_temps;
+	std::unordered_map<const ID*, std::shared_ptr<TempVar>> ids_to_temps;

+	// Local variables created during reduction/optimization.
 	std::unordered_set<ID*> new_locals;
+
+	// Mapping of original identifiers to new locals.  Used to
+	// rename local variables when inlining.
 	std::unordered_map<const ID*, IDPtr> orig_to_new_locals;

+	// Which statements to elide from the AST (because optimization
+	// has determined they're no longer needed).
 	std::unordered_set<const Stmt*> omitted_stmts;
+
+	// Maps statements to replacements constructed during optimization.
 	std::unordered_map<const Stmt*, StmtPtr> replaced_stmts;

 	// Tracks whether we're inside an inline block, and if so then
@ -203,6 +274,12 @@ protected:
 	// exponentially.
 	int bifurcation_level = 0;

+	// For a given usage of a variable's value, return the definition
+	// points associated with its use at that point.  We use this
+	// both as a cache (populating it every time we do a more laborious
+	// lookup), and proactively when creating new references to variables.
+	std::unordered_map<const NameExpr*, const DefPoints*> var_usage_to_DPs;
+
 	// Tracks which (non-temporary) variables had constant
 	// values used for constant propagation.
 	std::unordered_set<const ID*> constant_vars;
@ -212,9 +289,87 @@ protected:
 	// with the usage.
 	std::unordered_map<const Expr*, const Expr*> new_expr_to_orig;

+	// Statement at which the current reduction started.
+	StmtPtr reduction_root = nullptr;
+
 	const DefSetsMgr* mgr = nullptr;
 };

+
+// Helper class that walks an AST to determine whether it's safe
+// to substitute a common subexpression (which at this point is
+// an assignment to a variable) created using the assignment
+// expression at position "start_e", at the location specified by
+// the expression at position "end_e".
+//
+// See Reducer::ExprValid for a discussion of what's required
+// for safety.
+
+class CSE_ValidityChecker : public TraversalCallback {
+public:
+	CSE_ValidityChecker(const std::vector<const ID*>& ids,
+			const Expr* start_e, const Expr* end_e);
+
+	TraversalCode PreStmt(const Stmt*) override;
+	TraversalCode PostStmt(const Stmt*) override;
+	TraversalCode PreExpr(const Expr*) override;
+
+	// Returns the ultimate verdict re safety.
+	bool IsValid() const
+		{
+		if ( ! is_valid )
+			return false;
+
+		if ( ! have_end_e )
+			reporter->InternalError("CSE_ValidityChecker: saw start but not end");
+		return true;
+		}
+
+protected:
+	// Returns true if an assigment involving the given identifier on
+	// the LHS is in conflict with the given list of identifiers.
+	bool CheckID(const std::vector<const ID*>& ids, const ID* id,
+			bool ignore_orig) const;
+
+	// Returns true if the assignment given by 'e' modifies an aggregate
+	// with the same type as that of one of the identifiers.
+	bool CheckAggrMod(const std::vector<const ID*>& ids,
+				const Expr* e) const;
+
+	// The list of identifiers for which an assignment to one of them
+	// renders the CSE unsafe.
+	const std::vector<const ID*>& ids;
+
+	// Where in the AST to start our analysis.  This is the initial
+	// assignment expression.
+	const Expr* start_e;
+
+	// Where in the AST to end our analysis.
+	const Expr* end_e;
+
+	// If what we're analyzing is a record element, then its offset.
+	// -1 if not.
+	int field;
+
+	// The type of that record element, if any.
+	TypePtr field_type;
+
+	// The verdict so far.
+	bool is_valid = true;
+
+	// Whether we've encountered the start/end expression in
+	// the AST traversal.
+	bool have_start_e = false;
+	bool have_end_e = false;
+
+	// Whether analyzed expressions occur in the context of
+	// a statement that modifies an aggregate ("add" or "delete").
+	bool in_aggr_mod_stmt = false;
+};
+
+
+extern bool same_DPs(const DefPoints* dp1, const DefPoints* dp2);
+
 // Used for debugging, to communicate which expression wasn't
 // reduced when we expected them all to be.
 extern const Expr* non_reduced_perp;
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@ -49,7 +49,7 @@ void optimize_func(ScriptFunc* f, std::shared_ptr<ProfileFunc> pf,
 	auto scope = scope_ptr.release();
 	push_existing_scope(scope);

-	auto rc = std::make_shared<Reducer>(scope);
+	auto rc = std::make_shared<Reducer>();
 	auto new_body = rc->Reduce(body);

 	if ( reporter->Errors() > 0 )
@ -78,8 +78,39 @@ void optimize_func(ScriptFunc* f, std::shared_ptr<ProfileFunc> pf,
 	f->ReplaceBody(body, new_body);
 	body = new_body;

+	if ( analysis_options.optimize_AST )
+		{
+		pf = std::make_shared<ProfileFunc>(false);
+		body->Traverse(pf.get());
+
+		RD_Decorate reduced_rds(pf);
+		reduced_rds.TraverseFunction(f, scope, body);
+
+		if ( reporter->Errors() > 0 )
+			{
+			pop_scope();
+			return;
+			}
+
+		rc->SetDefSetsMgr(reduced_rds.GetDefSetsMgr());
+
+		new_body = rc->Reduce(body);
+
+		if ( reporter->Errors() > 0 )
+			{
+			pop_scope();
+			return;
+			}
+
+		if ( analysis_options.only_func || analysis_options.dump_xform )
+			printf("Optimized: %s\n", obj_desc(new_body.get()).c_str());
+
+		f->ReplaceBody(body, new_body);
+		body = new_body;
+		}
+
 	// Profile the new body.
-	pf = std::make_shared<ProfileFunc>(false);
+	pf = std::make_shared<ProfileFunc>();
 	body->Traverse(pf.get());

 	// Compute its reaching definitions.
@ -133,6 +164,7 @@ void analyze_scripts()
 		check_env_opt("ZEEK_DUMP_XFORM", analysis_options.dump_xform);
 		check_env_opt("ZEEK_DUMP_UDS", analysis_options.dump_uds);
 		check_env_opt("ZEEK_INLINE", analysis_options.inliner);
+		check_env_opt("ZEEK_OPT", analysis_options.optimize_AST);
 		check_env_opt("ZEEK_XFORM", analysis_options.activate);

 		auto usage = getenv("ZEEK_USAGE_ISSUES");
@ -148,6 +180,7 @@ void analyze_scripts()
 			}

 		if ( analysis_options.only_func ||
+		     analysis_options.optimize_AST ||
 		     analysis_options.usage_issues > 0 )
 			analysis_options.activate = true;

@ -157,6 +190,12 @@ void analyze_scripts()
 	if ( ! analysis_options.activate && ! analysis_options.inliner )
 		return;

+	if ( analysis_options.usage_issues > 0 && analysis_options.optimize_AST )
+		{
+		fprintf(stderr, "warning: \"-O optimize-AST\" option is incompatible with -u option, deactivating optimization\n");
+		analysis_options.optimize_AST = false;
+		}
+
 	// Now that everything's parsed and BiF's have been initialized,
 	// profile the functions.
 	std::unordered_map<const ScriptFunc*, std::shared_ptr<ProfileFunc>>
--- a/src/script_opt/ScriptOpt.h
+++ b/src/script_opt/ScriptOpt.h
@ -22,6 +22,9 @@ struct AnalyOpt {
 	// Whether to analyze scripts.
 	bool activate = false;

+	// Whether to optimize the AST.
+	bool optimize_AST = false;
+
 	// If true, dump out transformed code: the results of reducing
 	// interpreted scripts, and, if optimize is set, of then optimizing
 	// them.  Always done if only_func is set.
--- a/src/script_opt/TempVar.cc
+++ b/src/script_opt/TempVar.cc
@ -11,7 +11,31 @@ TempVar::TempVar(int num, const TypePtr& t, ExprPtr _rhs) : type(t)
 	char buf[8192];
 	snprintf(buf, sizeof buf, "#%d", num);
 	name = buf;
-	id = nullptr;
+	rhs = std::move(_rhs);
+	}
+
+void TempVar::SetAlias(IDPtr _alias, const DefPoints* _dps)
+	{
+	if ( alias )
+		reporter->InternalError("Re-aliasing a temporary");
+
+	if ( ! _dps )
+		{
+		printf("trying to alias %s to %s\n", name.c_str(), _alias->Name());
+		reporter->InternalError("Empty dps for alias");
+		}
+
+	if ( alias == id )
+		reporter->InternalError("Creating alias loop");
+
+	alias = std::move(_alias);
+	dps = _dps;
+	}
+
+void TempVar::SetDPs(const DefPoints* _dps)
+	{
+	ASSERT(_dps->length() == 1);
+	dps = _dps;
 	}

 } // zeek::detail
--- a/src/script_opt/TempVar.h
+++ b/src/script_opt/TempVar.h
@ -9,6 +9,7 @@

 #include "zeek/ID.h"
 #include "zeek/Expr.h"
+#include "zeek/script_opt/ReachingDefs.h"

 namespace zeek::detail {

@ -25,12 +26,31 @@ public:
 	void Deactivate()	{ active = false; }
 	bool IsActive() const	{ return active; }

+	// Associated constant expression, if any.
+	const ConstExpr* Const() const	{ return const_expr; }
+
+	// The most use of "const" in any single line in the Zeek
+	// codebase :-P ... though only by one!
+	void SetConst(const ConstExpr* _const) { const_expr = _const; }
+
+	IDPtr Alias() const			{ return alias; }
+	const DefPoints* DPs() const		{ return dps; }
+	void SetAlias(IDPtr id, const DefPoints* dps);
+	void SetDPs(const DefPoints* _dps);
+
+	const RDPtr& MaxRDs() const	{ return max_rds; }
+	void SetMaxRDs(RDPtr rds)	{ max_rds = std::move(rds); }
+
 protected:
 	std::string name;
 	IDPtr id;
 	const TypePtr& type;
 	ExprPtr rhs;
 	bool active = true;
+	const ConstExpr* const_expr = nullptr;
+	IDPtr alias;
+	const DefPoints* dps = nullptr;
+	RDPtr max_rds;
 };

 } // zeek::detail
--- a/testing/btest/Baseline.opt/core.parse-only-usage-issues/out
+++ b/testing/btest/Baseline.opt/core.parse-only-usage-issues/out
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: "-O optimize-AST" option is incompatible with -u option, deactivating optimization
+warning in <...>/parse-only-usage-issues.zeek, line 8: possibly used without definition (a)
--- a/testing/btest/Baseline.opt/language.uninitialized-local3/out
+++ b/testing/btest/Baseline.opt/language.uninitialized-local3/out
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: "-O optimize-AST" option is incompatible with -u option, deactivating optimization
+warning in <...>/uninitialized-local3.zeek, line 33: possibly used without definition (x4)
+expression error in <...>/uninitialized-local3.zeek, line 33: value used but not set (x4)
+x$a (x <...>/uninitialized-local3.zeek, line 20) possibly used without being set
+x$e (x <...>/uninitialized-local3.zeek, line 20) possibly used without being set
+x$e (x <...>/uninitialized-local3.zeek, line 24) possibly used without being set
+x2$worries$a (x2 <...>/uninitialized-local3.zeek, line 27) possibly used without being set
+x2$worries$e (x2 <...>/uninitialized-local3.zeek, line 27) possibly used without being set
+[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>]
+[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>]
+[no_worries=[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>], worries=[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>]]
+[no_worries=[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>], worries=[a=<uninitialized>, b=<uninitialized>, c=9, d=<uninitialized>, e=<uninitialized>]]
--- a/testing/btest/Baseline.opt/language.unused-assignement/out
+++ b/testing/btest/Baseline.opt/language.unused-assignement/out
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: "-O optimize-AST" option is incompatible with -u option, deactivating optimization
+warning: please_warn assignment unused: please_warn = test; <...>/unused-assignement.zeek, line 7
--- a/testing/btest/Baseline.opt/plugins.hooks/output
+++ b/testing/btest/Baseline.opt/plugins.hooks/output
--- a/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/all-events-no-args.log
@ -0,0 +1,237 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+         0.000000 zeek_init
+         0.000000 NetControl::init
+         0.000000 filter_change_tracking
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX ChecksumOffloading::check
+XXXXXXXXXX.XXXXXX filter_change_tracking
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX dns_message
+XXXXXXXXXX.XXXXXX dns_request
+XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX dns_end
+XXXXXXXXXX.XXXXXX dns_message
+XXXXXXXXXX.XXXXXX dns_CNAME_reply
+XXXXXXXXXX.XXXXXX dns_A_reply
+XXXXXXXXXX.XXXXXX dns_end
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX connection_established
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX ChecksumOffloading::check
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX filter_change_tracking
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX connection_established
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX mime_begin_entity
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX mime_one_header
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX mime_end_entity
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX get_file_handle
+XXXXXXXXXX.XXXXXX smtp_request
+XXXXXXXXXX.XXXXXX smtp_reply
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX new_connection
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX connection_established
+XXXXXXXXXX.XXXXXX ssl_extension_server_name
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX ssl_client_hello
+XXXXXXXXXX.XXXXXX ssl_handshake_message
+XXXXXXXXXX.XXXXXX ssl_plaintext_data
+XXXXXXXXXX.XXXXXX ssl_extension
+XXXXXXXXXX.XXXXXX ssl_server_hello
+XXXXXXXXXX.XXXXXX ssl_handshake_message
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX x509_certificate
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX file_new
+XXXXXXXXXX.XXXXXX file_over_new_connection
+XXXXXXXXXX.XXXXXX file_sniff
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX x509_certificate
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX file_hash
+XXXXXXXXXX.XXXXXX file_state_remove
+XXXXXXXXXX.XXXXXX ssl_handshake_message
+XXXXXXXXXX.XXXXXX ssl_handshake_message
+XXXXXXXXXX.XXXXXX ssl_plaintext_data
+XXXXXXXXXX.XXXXXX ssl_handshake_message
+XXXXXXXXXX.XXXXXX ssl_plaintext_data
+XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
+XXXXXXXXXX.XXXXXX ssl_plaintext_data
+XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
+XXXXXXXXXX.XXXXXX ssl_plaintext_data
+XXXXXXXXXX.XXXXXX ssl_established
+XXXXXXXXXX.XXXXXX net_done
+XXXXXXXXXX.XXXXXX Broker::log_flush
+XXXXXXXXXX.XXXXXX filter_change_tracking
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX connection_state_remove
+XXXXXXXXXX.XXXXXX zeek_done
+XXXXXXXXXX.XXXXXX ChecksumOffloading::check
--- a/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline.opt/scripts.policy.misc.dump-events/smtp-events.log
@ -0,0 +1,321 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = We do not authorize the use of this system to transport unsolicited, 
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = and/or bulk e-mail.
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = GP
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = xc90.websitewelcome.com Hello GP [122.162.143.157]
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = SIZE 52428800
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = PIPELINING
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH PLAIN LOGIN
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = STARTTLS
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = HELP
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = AUTH
+                  [3] arg: string        = LOGIN
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH
+                  [4] msg: string        = VXNlcm5hbWU6
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = UGFzc3dvcmQ6
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = cHVuamFiQDEyMw==
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 235
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = Authentication succeeded
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM: <gurpartap@patriots.in>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = OK
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Accepted
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = Enter message, ending with "." on a line by itself
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = OK id=1Mugho-0003Dg-Un
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = QUIT
+                  [3] arg: string        = 
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 221
+                  [3] cmd: string        = QUIT
+                  [4] msg: string        = xc90.websitewelcome.com closing connection
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = uprise ESMTP SubEthaSMTP null
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = [192.168.133.100]
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = uprise
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = 8BITMIME
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH LOGIN
+                  [5] cont_resp: bool    = T
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM:<albert@example.com>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<ericlim220@yahoo.com>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<felica4uu@hotmail.com>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO:<davis_mark1@outlook.com>
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = End data with <CR><LF>.<CR><LF>
+                  [5] cont_resp: bool    = F
+
+XXXXXXXXXX.XXXXXX smtp_request
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+XXXXXXXXXX.XXXXXX smtp_reply
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = Ok
+                  [5] cont_resp: bool    = F
+
--- a/testing/btest/Baseline.xform/broker.store.create-failure/zeek.err
+++ b/testing/btest/Baseline.xform/broker.store.create-failure/zeek.err
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/create-failure.zeek, line 63: Failed to attach master store backend_failure: (Broker::create_master(../fail, Broker::SQLITE, <internal>::#1))
+error in <...>/create-failure.zeek, line 63: Could not create Broker master store '../fail' (Broker::create_master(../fail, Broker::SQLITE, <internal>::#1))
+error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
+error in <...>/create-failure.zeek, line 27: invalid Broker store handle (Broker::close(m1) and broker::store::{})
+error in <...>/create-failure.zeek, line 33: invalid Broker store handle (Broker::close(c2) and broker::store::{})
+error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
+error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
+error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
+error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
+received termination signal
--- a/testing/btest/Baseline.xform/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
+++ b/testing/btest/Baseline.xform/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: file ID asdf not a known file
-expression error in <...>/main.zeek, line 357: value used but not set (<internal>::#0)
+expression error in <...>/main.zeek, line 378: value used but not set (<internal>::#0)
 This should fail but not crash
 lookup fid: FMnxxt3xjVcWNS2141
 We should have found the file id: FMnxxt3xjVcWNS2141
--- a/testing/btest/Baseline/language.ternary-type-check/out
+++ b/testing/btest/Baseline/language.ternary-type-check/out
@ -1,8 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error in <...>/ternary-type-check.zeek, lines 13-14: operands must be of the same type ((F) ? (coerce [$a=a string, $b=6] to MyRecord) : [$a=a different string, $b=7])
-warning in <...>/ternary-type-check.zeek, line 18: Wrong number of arguments for function. Expected 1, got 2. (function(y:count; x:count;) : bool)
 error in <...>/ternary-type-check.zeek, line 32: operands must be of the same type (b < a ? foo : bar)
-warning in <...>/ternary-type-check.zeek, line 21: Wrong number of arguments for function. Expected 2, got 1. (function(y:count;) : bool)
 error in <...>/ternary-type-check.zeek, line 35: operands must be of the same type (b < a ? bar : foo)
 error in <...>/ternary-type-check.zeek, line 50: operands must be of the same type (T ? s : ss)
 error in <...>/ternary-type-check.zeek, line 51: operands must be of the same type (T ? t : tt)
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@ -65,6 +65,11 @@ BTEST_BASELINE_DIR=%(testbase)s/Baseline.inline:%(testbase)s/Baseline
 ZEEK_XFORM=1
 BTEST_BASELINE_DIR=%(testbase)s/Baseline.xform:%(testbase)s/Baseline

+[environment-opt]
+ZEEK_XFORM=1
+ZEEK_OPT=1
+BTEST_BASELINE_DIR=%(testbase)s/Baseline.opt:%(testbase)s/Baseline.xform:%(testbase)s/Baseline
+
 # The following is used for testing -u functionality.  We set $ZEEK_XFORM,
 # too, because the analysis is done on transformed ASTs, and some tests
 # might be sensitive to that fact.  For the same reason, we first fall