From 8ffbc69a4decbc128ac6aead368d41333efb8ef0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 16 Nov 2020 15:36:50 +0000
Subject: [PATCH 01/40] Sumstats: epoch_finished was not called under certain
 circumstances

In non-clustered mode, epoch_finished was not called when there was no
data during the epoch.

This behavior does not fit the documentation, and also is different in
cluster-mode, where epoch_finished is, indeed, called after every epoch.

This small change fixes this behavior.
---
 scripts/base/frameworks/sumstats/non-cluster.zeek | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/non-cluster.zeek b/scripts/base/frameworks/sumstats/non-cluster.zeek
index 630f36bbcd..8146dc50bf 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.zeek
+++ b/scripts/base/frameworks/sumstats/non-cluster.zeek
@@ -43,9 +43,15 @@ event SumStats::finish_epoch(ss: SumStat)
 				if ( ss?$epoch_finished )
 					ss$epoch_finished(now);
 				}
-			else if ( |data| > 0 )
+			else
 				{
-				event SumStats::process_epoch_result(ss, now, copy(data));
+				if ( |data| > 0 )
+					event SumStats::process_epoch_result(ss, now, copy(data));
+				else
+					{
+					if ( ss?$epoch_finished )
+						ss$epoch_finished(now);
+					}
 				}
 			}
 		

From 7362f30c3a110c916d5428ed2653738047d4dcfd Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 16 Nov 2020 10:52:47 +0000
Subject: [PATCH 02/40] Sumstats: allow users to manage epoch manually

This change allows users to specify an epoch length of 0, which means
that the user manually has to finish the epochs. A new next_epoch
function is introduced to allow users to manually end epochs.

Addresses GH-348
---
 scripts/base/frameworks/sumstats/cluster.zeek |   3 +-
 scripts/base/frameworks/sumstats/main.zeek    |  65 +++++++--
 .../base/frameworks/sumstats/non-cluster.zeek |   5 +-
 .../manager-1..stdout                         |  11 ++
 .../standalone..stdout                        |   8 ++
 .../sumstats/manual-epoch-cluster.zeek        | 123 ++++++++++++++++++
 .../frameworks/sumstats/manual-epoch.zeek     |  60 +++++++++
 7 files changed, 258 insertions(+), 17 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout
 create mode 100644 testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
 create mode 100644 testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek

diff --git a/scripts/base/frameworks/sumstats/cluster.zeek b/scripts/base/frameworks/sumstats/cluster.zeek
index 86125884a5..2296a4e38c 100644
--- a/scripts/base/frameworks/sumstats/cluster.zeek
+++ b/scripts/base/frameworks/sumstats/cluster.zeek
@@ -272,7 +272,8 @@ event SumStats::finish_epoch(ss: SumStat)
 		}
 
 	# Schedule the next finish_epoch event.
-	schedule ss$epoch { SumStats::finish_epoch(ss) };
+	if ( ss$epoch != 0secs )
+		schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
 # This is unlikely to be called often, but it's here in
diff --git a/scripts/base/frameworks/sumstats/main.zeek b/scripts/base/frameworks/sumstats/main.zeek
index 3f73d278e5..9e5e3cb4d1 100644
--- a/scripts/base/frameworks/sumstats/main.zeek
+++ b/scripts/base/frameworks/sumstats/main.zeek
@@ -89,16 +89,20 @@ export {
 	## is no assurance provided as to where the callbacks
 	## will be executed on clusters.
 	type SumStat: record {
-		## An arbitrary name for the sumstat so that it can 
+		## An arbitrary name for the sumstat so that it can
 		## be referred to later.
 		name:               string;
-		
-		## The interval at which this filter should be "broken"
-		## and the *epoch_result* callback called.  The
+
+		## The interval at which this sumstat should be "broken"
+		## and the *epoch_result* callback called. The
 		## results are also reset at this time so any threshold
 		## based detection needs to be set to a
 		## value that should be expected to happen within
 		## this epoch.
+		##
+		## Passing an epoch of zero (e.g. ``0 secs``) causes this
+		## sumstat to be set to manual epochs. You will have to manually
+		## end the epoch by calling :zeek:see:`SumStats::next_epoch`.
 		epoch:              interval;
 
 		## The reducers for the SumStat.
@@ -129,12 +133,12 @@ export {
 		threshold_crossed:  function(key: SumStats::Key, result: SumStats::Result) &optional;
 
 		## A callback that receives each of the results at the
-		## end of the analysis epoch.  The function will be 
+		## end of the analysis epoch.  The function will be
 		## called once for each key.
 		epoch_result:       function(ts: time, key: SumStats::Key, result: SumStats::Result) &optional;
-	
-		## A callback that will be called when a single collection 
-		## interval is completed.  The *ts* value will be the time of 
+
+		## A callback that will be called when a single collection
+		## interval is completed.  The *ts* value will be the time of
 		## when the collection started.
 		epoch_finished:     function(ts:time) &optional;
 	};
@@ -156,8 +160,8 @@ export {
 	global observe: function(id: string, key: SumStats::Key, obs: SumStats::Observation);
 
 	## Dynamically request a sumstat key.  This function should be
-	## used sparingly and not as a replacement for the callbacks 
-	## from the :zeek:see:`SumStats::SumStat` record.  The function is only
+	## used sparingly and not as a replacement for the callbacks
+	## from the :zeek:see:`SumStats::SumStat` record. The function is only
 	## available for use within "when" statements as an asynchronous
 	## function.
 	##
@@ -175,6 +179,23 @@ export {
 	##
 	## Returns: A string representation of the metric key.
 	global key2str: function(key: SumStats::Key): string;
+
+	## Manually end the current epoch for a sumstat. Calling this function will
+	## cause the end of the epoch processing of sumstats to start. Note that the
+	## epoch will not end immidiately - especially in a cluster settings, a number
+	## of messages need to be exchanged between the cluster nodes.
+	##
+	## Note that this function only can be called if the sumstat was created with
+	## an epoch time of zero (manual epochs).
+	##
+	## In a cluster, this function must be called on the manager; it will not have
+	## any effect when called on workers.
+	##
+	## ss_name: SumStat name.
+	##
+	## Returns: true on success, false on failure. Failures can be: sumstat not found,
+	##          or sumstat not created for manual epochs.
+	global next_epoch: function(ss_name: string): bool;
 }
 
 # The function prototype for plugins to do calculations.
@@ -248,6 +269,19 @@ global data_added: function(ss: SumStat, key: Key, result: Result);
 # framework for clustered or non-clustered usage.
 global finish_epoch: event(ss: SumStat);
 
+function next_epoch(ss_name: string): bool
+	{
+	if ( ss_name !in stats_store )
+		return F;
+
+	local ss = stats_store[ss_name];
+	if ( ss$epoch != 0secs )
+		return F;
+
+	event SumStats::finish_epoch(ss);
+	return T;
+	}
+
 function key2str(key: Key): string
 	{
 	local out = "";
@@ -331,7 +365,7 @@ function reset(ss: SumStat)
 		}
 	}
 
-# This could potentially recurse forever, but plugin authors 
+# This could potentially recurse forever, but plugin authors
 # should be making sure they aren't causing reflexive dependencies.
 function add_calc_deps(calcs: vector of Calculation, c: Calculation)
 	{
@@ -377,8 +411,8 @@ function create(ss: SumStat)
 			if ( calc in calc_deps )
 				add_calc_deps(reducer$calc_funcs, calc);
 
-			# Don't add this calculation to the vector if 
-			# it was already added by something else as a 
+			# Don't add this calculation to the vector if
+			# it was already added by something else as a
 			# dependency.
 			local skip_calc=F;
 			for ( j in reducer$calc_funcs )
@@ -396,7 +430,10 @@ function create(ss: SumStat)
 		}
 
 	reset(ss);
-	schedule ss$epoch { SumStats::finish_epoch(ss) };
+
+	## do not schedule epoch if this is set to manual epochs.
+	if ( ss$epoch != 0secs )
+		schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
 function observe(id: string, orig_key: Key, obs: Observation)
diff --git a/scripts/base/frameworks/sumstats/non-cluster.zeek b/scripts/base/frameworks/sumstats/non-cluster.zeek
index 8146dc50bf..c905d56e37 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.zeek
+++ b/scripts/base/frameworks/sumstats/non-cluster.zeek
@@ -54,14 +54,15 @@ event SumStats::finish_epoch(ss: SumStat)
 					}
 				}
 			}
-		
+
 		# We can reset here because we know that the reference
 		# to the data will be maintained by the process_epoch_result
 		# event.
 		reset(ss);
 		}
 
-	schedule ss$epoch { SumStats::finish_epoch(ss) };
+	if ( ss$epoch != 0secs )
+		schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
 function data_added(ss: SumStat, key: Key, result: Result)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout
new file mode 100644
index 0000000000..24adb52783
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+### NOTE: This file has been sorted with diff-sort.
+Host: 1.2.3.4 - num:9 - sum:437.0 - avg:48.6 - max:95.0 - min:3.0 - var:758.8 - std_dev:27.5 - unique:8 - hllunique:8
+Host: 10.10.10.10 - num:1 - sum:5.0 - avg:5.0 - max:5.0 - min:5.0 - var:0.0 - std_dev:0.0 - unique:1 - hllunique:1
+Host: 6.5.4.3 - num:2 - sum:6.0 - avg:3.0 - max:5.0 - min:1.0 - var:8.0 - std_dev:2.8 - unique:2 - hllunique:2
+Host: 7.2.1.5 - num:2 - sum:145.0 - avg:72.5 - max:91.0 - min:54.0 - var:684.5 - std_dev:26.2 - unique:2 - hllunique:2
+Performing first epoch, no observations
+Performing second epoch with overvations
+Sending ready for data
+epoch finished, F
+epoch finished, T
diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout
new file mode 100644
index 0000000000..67c235c609
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout
@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Performing first epoch, no observations
+epoch_finished
+Performing second epoch with overvations
+Host: 1.2.3.4 - num:5 - sum:221.0 - var:1144.2 - avg:44.2 - max:94.0 - min:5.0 - std_dev:33.8 - unique:4 - hllunique:4
+Host: 6.5.4.3 - num:1 - sum:2.0 - var:0.0 - avg:2.0 - max:2.0 - min:2.0 - std_dev:0.0 - unique:1 - hllunique:1
+Host: 7.2.1.5 - num:1 - sum:1.0 - var:0.0 - avg:1.0 - max:1.0 - min:1.0 - std_dev:0.0 - unique:1 - hllunique:1
+epoch_finished
diff --git a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
new file mode 100644
index 0000000000..92db51858b
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
@@ -0,0 +1,123 @@
+# @TEST-PORT: BROKER_PORT1
+# @TEST-PORT: BROKER_PORT2
+# @TEST-PORT: BROKER_PORT3
+#
+# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
+
+@load base/frameworks/sumstats
+@load base/frameworks/cluster
+
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+global n = 0;
+global did_data = F;
+
+event zeek_init() &priority=5
+	{
+	local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE, SumStats::HLL_UNIQUE)];
+	SumStats::create([$name="test",
+	                  $epoch=0secs,
+	                  $reducers=set(r1),
+	                  $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
+	                  	{
+	                  	if ( ! did_data ) return;
+	                  	local r = result["test"];
+	                  	print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique, r$hll_unique);
+	                  	},
+	                  $epoch_finished(ts: time) =
+	                  	{
+	                  	print "epoch finished", did_data;
+	                  	if ( did_data )
+	                  		terminate();
+	                  	}]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+global ready_for_data: event();
+
+event ready_for_data()
+	{
+	if ( Cluster::node == "worker-1" )
+		{
+		SumStats::observe("test", [$host=1.2.3.4], [$num=34]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=30]);
+		SumStats::observe("test", [$host=6.5.4.3], [$num=1]);
+		SumStats::observe("test", [$host=7.2.1.5], [$num=54]);
+		}
+	if ( Cluster::node == "worker-2" )
+		{
+		SumStats::observe("test", [$host=1.2.3.4], [$num=75]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=30]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=3]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=57]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=52]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=61]);
+		SumStats::observe("test", [$host=1.2.3.4], [$num=95]);
+		SumStats::observe("test", [$host=6.5.4.3], [$num=5]);
+		SumStats::observe("test", [$host=7.2.1.5], [$num=91]);
+		SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
+		}
+
+	did_data = T;
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+event second_test()
+	{
+	print "Performing second epoch with overvations";
+	local ret = SumStats::next_epoch("test");
+	if ( ! ret )
+		print "Return value false";
+	}
+
+event send_ready_for_data()
+	{
+	print "Sending ready for data";
+	event ready_for_data();
+	}
+
+
+event cont_test()
+	{
+	print "Performing first epoch, no observations";
+	local ret = SumStats::next_epoch("test");
+	if ( ! ret )
+		print "Return value false";
+	schedule 5secs { send_ready_for_data() };
+	schedule 10secs { second_test() };
+	}
+
+event zeek_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
+global peer_count = 0;
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peer_count;
+
+	if ( peer_count == 2 )
+		event cont_test();
+	}
+
+@endif
diff --git a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek
new file mode 100644
index 0000000000..b99dbc63f6
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek
@@ -0,0 +1,60 @@
+# @TEST-EXEC: btest-bg-run standalone zeek -b %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff standalone/.stdout
+
+@load base/frameworks/sumstats
+
+redef exit_only_after_terminate=T;
+
+event second_test()
+	{
+	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]);
+	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]);
+	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=94]);
+	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]);
+	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]);
+
+	SumStats::observe("test.metric", [$host=6.5.4.3], [$num=2]);
+	SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1]);
+	print "Performing second epoch with overvations";
+	local ret = SumStats::next_epoch("test");
+	if ( ! ret )
+		print "Return value false";
+	}
+
+event cont_test()
+	{
+	print "Performing first epoch, no observations";
+	local ret = SumStats::next_epoch("test");
+	if ( ! ret )
+		print "Return value false";
+	schedule 2secs { second_test() };
+	}
+
+event zeek_init() &priority=5
+	{
+	local r1: SumStats::Reducer = [$stream="test.metric",
+	                               $apply=set(SumStats::SUM,
+	                                          SumStats::VARIANCE,
+	                                          SumStats::AVERAGE,
+	                                          SumStats::MAX,
+	                                          SumStats::MIN,
+	                                          SumStats::STD_DEV,
+	                                          SumStats::UNIQUE,
+	                                          SumStats::HLL_UNIQUE)];
+	SumStats::create([$name="test",
+	                  $epoch=0secs,
+	                  $reducers=set(r1),
+	                  $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
+	                  	{
+	                  	local r = result["test.metric"];
+	                  	print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique, r$hll_unique);
+	                  	terminate();
+	                  	},
+	                  $epoch_finished(ts: time) =
+	                  	{
+	                  	print "epoch_finished";
+	                  	}]);
+
+	schedule 1secs { cont_test() };
+	}

From c8cf1988e5cfb748bd5ee8d52599d21cd568c9ec Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 16 Nov 2020 17:41:04 -0700
Subject: [PATCH 03/40] Move implementation of internal_{type,var,etc} methods
 back into global namespace.

This fixes an unknown symbol error if using those methods. They're defined as extern
in the global namespace in Var.h, but Var.cc had their implementations defined in
the zeek::detail namespace.
---
 src/Var.cc | 60 +++++++++++++++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/src/Var.cc b/src/Var.cc
index 80c181d948..1d8f369b82 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -731,11 +731,6 @@ void end_func(StmtPtr body)
 	ingredients.release();
 	}
 
-Val* internal_val(const char* name)
-	{
-	return id::find_val(name).get();
-	}
-
 IDPList gather_outer_ids(Scope* scope, Stmt* body)
 	{
 	OuterIDBindingFinder cb(scope);
@@ -756,20 +751,27 @@ IDPList gather_outer_ids(Scope* scope, Stmt* body)
 	return idl;
 	}
 
-Val* internal_const_val(const char* name)
+} // namespace zeek::detail
+
+zeek::Val* internal_val(const char* name)
 	{
-	return id::find_const(name).get();
+	return zeek::id::find_val(name).get();
 	}
 
-Val* opt_internal_val(const char* name)
+zeek::Val* internal_const_val(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	return zeek::id::find_const(name).get();
+	}
+
+zeek::Val* opt_internal_val(const char* name)
+	{
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	return id ? id->GetVal().get() : nullptr;
 	}
 
 double opt_internal_double(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id ) return 0.0;
 	const auto& v = id->GetVal();
 	return v ? v->InternalDouble() : 0.0;
@@ -777,7 +779,7 @@ double opt_internal_double(const char* name)
 
 bro_int_t opt_internal_int(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id ) return 0;
 	const auto& v = id->GetVal();
 	return v ? v->InternalInt() : 0;
@@ -785,63 +787,63 @@ bro_int_t opt_internal_int(const char* name)
 
 bro_uint_t opt_internal_unsigned(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id ) return 0;
 	const auto& v = id->GetVal();
 	return v ? v->InternalUnsigned() : 0;
 	}
 
-StringVal* opt_internal_string(const char* name)
+zeek::StringVal* opt_internal_string(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id ) return nullptr;
 	const auto& v = id->GetVal();
 	return v ? v->AsStringVal() : nullptr;
 	}
 
-TableVal* opt_internal_table(const char* name)
+zeek::TableVal* opt_internal_table(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id ) return nullptr;
 	const auto& v = id->GetVal();
 	return v ? v->AsTableVal() : nullptr;
 	}
 
-ListVal* internal_list_val(const char* name)
+zeek::ListVal* internal_list_val(const char* name)
 	{
-	const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME);
 	if ( ! id )
 		return nullptr;
 
-	Val* v = id->GetVal().get();
+	zeek::Val* v = id->GetVal().get();
 
 	if ( v )
 		{
-		if ( v->GetType()->Tag() == TYPE_LIST )
-			return (ListVal*) v;
+		if ( v->GetType()->Tag() == zeek::TYPE_LIST )
+			return (zeek::ListVal*) v;
 
 		else if ( v->GetType()->IsSet() )
 			{
-			TableVal* tv = v->AsTableVal();
+			zeek::TableVal* tv = v->AsTableVal();
 			auto lv = tv->ToPureListVal();
 			return lv.release();
 			}
 
 		else
-			reporter->InternalError("internal variable %s is not a list", name);
+			zeek::reporter->InternalError("internal variable %s is not a list", name);
 		}
 
 	return nullptr;
 	}
 
-Type* internal_type(const char* name)
+zeek::Type* internal_type(const char* name)
 	{
-	return id::find_type(name).get();
+	return zeek::id::find_type(name).get();
 	}
 
-Func* internal_func(const char* name)
+zeek::Func* internal_func(const char* name)
 	{
-	const auto& v = id::find_val(name);
+	const auto& v = zeek::id::find_val(name);
 
 	if ( v )
 		return v->AsFunc();
@@ -849,9 +851,7 @@ Func* internal_func(const char* name)
 		return nullptr;
 	}
 
-EventHandlerPtr internal_handler(const char* name)
+zeek::EventHandlerPtr internal_handler(const char* name)
 	{
 	return event_registry->Register(name);
 	}
-
-} // namespace zeek::detail

From 01ec5ebdcdb18bea847a42a901551b266817213d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 18 Nov 2020 15:32:45 -0700
Subject: [PATCH 04/40] Reverts the regex change in
 dead3226a545e264072ced40284f86ac41528ba8.

The regex change broke some of the external tests. I added some more cases
to the regular email btest to hopefully cover all of the cases better.
---
 scripts/base/utils/email.zeek                          | 5 ++---
 testing/btest/Baseline/scripts.base.utils.email/output | 9 ++++++++-
 testing/btest/scripts/base/utils/email.zeek            | 4 ++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/scripts/base/utils/email.zeek b/scripts/base/utils/email.zeek
index 903048eafd..b647149bdc 100644
--- a/scripts/base/utils/email.zeek
+++ b/scripts/base/utils/email.zeek
@@ -19,7 +19,7 @@ function extract_email_addrs_vec(str: string): string_vec
 ##
 ## str: A string potentially containing email addresses.
 ##
-## Returns: A set of extracted email addresses.  An empty set is returned 
+## Returns: A set of extracted email addresses.  An empty set is returned
 ##          if no email addresses are discovered.
 function extract_email_addrs_set(str: string): set[string]
 	{
@@ -58,8 +58,7 @@ function extract_first_email_addr(str: string): string
 function split_mime_email_addresses(line: string): set[string]
 	{
 	local output = string_set();
-
-	local addrs = find_all(line, /(\"[^"]*\")?[^,]+@[^,]+/);
+	local addrs = find_all(line, /(\"[^"]*\")?[^,]+/);
 	for ( part in addrs )
 		{
 		add output[strip(part)];
diff --git a/testing/btest/Baseline/scripts.base.utils.email/output b/testing/btest/Baseline/scripts.base.utils.email/output
index 6955547403..dc0958ff64 100644
--- a/testing/btest/Baseline/scripts.base.utils.email/output
+++ b/testing/btest/Baseline/scripts.base.utils.email/output
@@ -1,3 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 one@example.com
 [one@example.com, two@example.com, three@example.com, one@example.com]
 {
@@ -22,6 +23,12 @@ two@example.com
 john.smith@email.com
 [john.smith@email.com, jane.doe@email.com]
 {
-john.smith@email.com
+john.smith@email.com,
+jane.doe@email.com
+}
+john.smith@email.com
+[john.smith@email.com, jane.doe@email.com]
+{
+john.smith@email.com,
 jane.doe@email.com
 }
diff --git a/testing/btest/scripts/base/utils/email.zeek b/testing/btest/scripts/base/utils/email.zeek
index 5177ce8cb2..6d4838765f 100644
--- a/testing/btest/scripts/base/utils/email.zeek
+++ b/testing/btest/scripts/base/utils/email.zeek
@@ -19,3 +19,7 @@ s = "\"Smith, John\" <john.smith@email.com>, \"Doe, Jane\" <jane.doe@email.com>"
 print extract_first_email_addr(s);
 print extract_email_addrs_vec(s);
 print extract_email_addrs_set(s);
+s = "\"Smith, John\" <john.smith@email.com>,\"Doe, Jane\" <jane.doe@email.com>";
+print extract_first_email_addr(s);
+print extract_email_addrs_vec(s);
+print extract_email_addrs_set(s);

From ec76b2510ac3684860974204cb37e2e06c7cee78 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 16 Nov 2020 15:20:03 -0800
Subject: [PATCH 05/40] Improve support for custom libdir locations

- Remove hardwiring of $ZEEK_ROOT/lib throughout the three and
  defaults the name of Zeek's library directory to the default on the
  given platform (e.g. lib64), via GNUInstallDirs.

- Consistently use that lib directory, instead of two lib folders
  resulting when using a custom libdir.

- Remove the old lib directory in the installation prefix, if one exists

- Add --lib_dir to zeek-config (and sort its options a bit).

- Bump submodules for corresponding changes
---
 CMakeLists.txt | 31 +++++++++++++-------
 auxil/broker   |  2 +-
 auxil/paraglob |  2 +-
 auxil/zeek-aux |  2 +-
 auxil/zeekctl  |  2 +-
 cmake          |  2 +-
 configure      |  2 --
 zeek-config.in | 76 ++++++++++++++++++++++++++------------------------
 8 files changed, 66 insertions(+), 53 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f307c632ce..1a62c9a5b9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,14 +4,7 @@ cmake_minimum_required(VERSION 3.0 FATAL_ERROR)
 
 project(Zeek C CXX)
 
-if ( NOT CMAKE_INSTALL_LIBDIR )
-    # Currently, some sub-projects may use GNUInstallDirs.cmake to choose the
-    # library install dir, while others just default to "lib".  For sake of
-    # consistency, this just overrides the former to always use "lib" in case
-    # it would have chosen something else, like "lib64", but a thing for the
-    # future may be to standardize all sub-projects to use GNUInstallDirs.
-    set(CMAKE_INSTALL_LIBDIR lib)
-endif ()
+include(GNUInstallDirs)
 
 include(cmake/CommonCMakeConfig.cmake)
 include(cmake/FindClangTidy.cmake)
@@ -60,7 +53,8 @@ endif ()
 get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
 
-set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/zeek/plugins CACHE STRING "Installation path for plugins" FORCE)
+set(BRO_PLUGIN_INSTALL_PATH ${CMAKE_INSTALL_FULL_LIBDIR}/zeek/plugins CACHE STRING "Installation path for plugins" FORCE)
+set(PY_MOD_INSTALL_DIR ${CMAKE_INSTALL_FULL_LIBDIR}/zeekctl CACHE STRING "Installation path for Python modules" FORCE)
 
 configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
 execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink
@@ -126,7 +120,7 @@ if ( NOT BINARY_PACKAGING_MODE )
     # before Zeek 3.0.
     _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek")
     _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek")
-    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_PREFIX}/lib/zeek")
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_LIBDIR}/zeek")
 endif ()
 
 if ( ZEEK_SANITIZERS )
@@ -514,6 +508,23 @@ CheckOptionalBuildSources(auxil/zeekctl   ZeekControl INSTALL_ZEEKCTL)
 CheckOptionalBuildSources(auxil/zeek-aux  Zeek-Aux  INSTALL_AUX_TOOLS)
 CheckOptionalBuildSources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER)
 
+########################################################################
+## Transitions and cleanups
+
+if ( NOT BINARY_PACKAGING_MODE )
+    # Remove pre-existing libdir of the old hardwired name if it is not
+    # the name we're now installing under.
+    set(_old_libdir ${CMAKE_INSTALL_PREFIX}/lib)
+
+    install(CODE "
+        if ( EXISTS \"${_old_libdir}\" AND IS_DIRECTORY \"${_old_libdir}\"
+             AND NOT \"${_old_libdir}\" STREQUAL \"${CMAKE_INSTALL_FULL_LIBDIR}\" )
+            message(STATUS \"WARNING: removing old library directory ${_old_libdir}\")
+            execute_process(COMMAND \"${CMAKE_COMMAND}\" -E remove_directory \"${_old_libdir}\")
+        endif ()
+    ")
+endif ()
+
 ########################################################################
 ## Packaging Setup
 
diff --git a/auxil/broker b/auxil/broker
index 28fbb63d06..830c757d3b 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 28fbb63d06c9192923effc930a4b60226c35fb0e
+Subproject commit 830c757d3b0ddfd2902db9bd0cd28110ba30d4b6
diff --git a/auxil/paraglob b/auxil/paraglob
index 512c911c27..8dd1b45071 160000
--- a/auxil/paraglob
+++ b/auxil/paraglob
@@ -1 +1 @@
-Subproject commit 512c911c27aeb319430093187f85c70610d80035
+Subproject commit 8dd1b45071ad41d5f1c4e5e6d0b9e189ccb5cb1f
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index fbb5a21719..6a5d774c99 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit fbb5a21719d4d00244bdd9f0d0a2f8543580a016
+Subproject commit 6a5d774c998d873071c551ad11d0e330fb2231e3
diff --git a/auxil/zeekctl b/auxil/zeekctl
index f99e3265c5..80d0bec037 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit f99e3265c5e7d6c45361b7d8dc03e772f66b0d4b
+Subproject commit 80d0bec0379a5208d7fb36933b1483e1603f5ec8
diff --git a/cmake b/cmake
index cf652b8459..0acdf4093e 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit cf652b845908a15c02e11dca3162f3eecca0a9c5
+Subproject commit 0acdf4093ebae0026327b43b850e68225d046cb7
diff --git a/configure b/configure
index 0014f30834..7b74d3edf7 100755
--- a/configure
+++ b/configure
@@ -148,7 +148,6 @@ prefix=/usr/local/zeek
 CMakeCacheEntries=""
 append_cache_entry CMAKE_INSTALL_PREFIX PATH   $prefix
 append_cache_entry ZEEK_ROOT_DIR        PATH   $prefix
-append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/zeekctl
 append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
 append_cache_entry ZEEK_ETC_INSTALL_DIR PATH   $prefix/etc
 append_cache_entry ENABLE_DEBUG         BOOL   false
@@ -203,7 +202,6 @@ while [ $# -ne 0 ]; do
             prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
             append_cache_entry ZEEK_ROOT_DIR        PATH   $optarg
-            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/zeekctl
             ;;
         --libdir=*)
             append_cache_entry CMAKE_INSTALL_LIBDIR PATH   $optarg
diff --git a/zeek-config.in b/zeek-config.in
index dea1c37411..7c8e58d723 100755
--- a/zeek-config.in
+++ b/zeek-config.in
@@ -5,6 +5,7 @@ build_type=@CMAKE_BUILD_TYPE_LOWER@
 prefix=@CMAKE_INSTALL_PREFIX@
 script_dir=@ZEEK_SCRIPT_INSTALL_PATH@
 site_dir=@ZEEK_SCRIPT_INSTALL_PATH@/site
+lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
 config_dir=@ZEEK_ETC_INSTALL_DIR@
 python_dir=@PY_MOD_INSTALL_DIR@
@@ -24,7 +25,7 @@ include_dir=${include_dir}:@ZEEK_CONFIG_LibKrb5_INCLUDE_DIR@
 include_dir=${include_dir}:@ZEEK_CONFIG_GooglePerftools_INCLUDE_DIR@
 
 usage="\
-Usage: zeek-config [--version] [--build_type] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--zeekpath] [--zeek_dist] [--binpac_root] [--caf_root] [--broker_root]"
+Usage: zeek-config [--version] [--build_type] [--prefix] [--lib_dir] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--zeekpath] [--zeek_dist] [--binpac_root] [--caf_root] [--broker_root]"
 
 if [ $# -eq 0 ] ; then
       echo "${usage}" 1>&2
@@ -38,14 +39,44 @@ while [ $# -ne 0 ]; do
   esac
 
   case $1 in
-    --version)
-      echo $version
+    --binpac_root)
+      echo $binpac_root
+      ;;
+    --bro_dist)  # For compatibility with legacy Bro plugins.
+      echo $zeek_dist
+      ;;
+    --broker_root)
+      echo $broker_root
+      ;;
+    --bropath)   # For compatibility with legacy Bro plugins.
+      echo $zeekpath
+      ;;
+    --build_type)
+      echo $build_type
+      ;;
+    --caf_root)
+      echo $caf_root
+      ;;
+    --cmake_dir)
+      echo $cmake_dir
+      ;;
+    --config_dir)
+      echo $config_dir
+      ;;
+    --include_dir)
+      echo $include_dir
+      ;;
+    --lib_dir)
+      echo $lib_dir
+      ;;
+    --plugin_dir)
+      echo $plugin_dir
       ;;
     --prefix)
       echo $prefix
       ;;
-    --build_type)
-      echo $build_type
+    --python_dir)
+      echo $python_dir
       ;;
     --script_dir)
       echo $script_dir
@@ -53,41 +84,14 @@ while [ $# -ne 0 ]; do
     --site_dir)
       echo $site_dir
       ;;
-    --plugin_dir)
-      echo $plugin_dir
-      ;;
-    --config_dir)
-      echo $config_dir
-      ;;
-    --python_dir)
-      echo $python_dir
-      ;;
-    --cmake_dir)
-      echo $cmake_dir
-      ;;
-    --include_dir)
-      echo $include_dir
-      ;;
-    --bropath)   # For compatibility with legacy Bro plugins.
-      echo $zeekpath
-      ;;
-    --zeekpath)
-      echo $zeekpath
-      ;;
-    --bro_dist)  # For compatibility with legacy Bro plugins.
-      echo $zeek_dist
+    --version)
+      echo $version
       ;;
     --zeek_dist)
       echo $zeek_dist
       ;;
-    --binpac_root)
-      echo $binpac_root
-      ;;
-    --caf_root)
-      echo $caf_root
-      ;;
-    --broker_root)
-      echo $broker_root
+    --zeekpath)
+      echo $zeekpath
       ;;
     *)
       echo "${usage}" 1>&2

From aac003223fc7712ee9467244dc84a10a484a9226 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Sat, 21 Nov 2020 00:33:51 +0000
Subject: [PATCH 06/40] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 7658414ac4..88b48fe09d 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 7658414ac454522ecd5710c13ca6e0bc4a842e12
+Subproject commit 88b48fe09d355239afd74a36d4f948629ee0e95d

From 81362de0643fc3bba8247880b9596120691b6859 Mon Sep 17 00:00:00 2001
From: Otto Fowler <ottobackwards@gmail.com>
Date: Sat, 21 Nov 2020 22:50:44 -0500
Subject: [PATCH 07/40] Update .gitignore to ignore pyenv .python-version

You may have this file if you have multiple versions of python installed, and zeek doesn't build with all of them
---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index e0efa6d316..e06e3a71d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,6 @@ cmake-build-*
 
 # skip DS Store for MacOS
 .DS_Store
+
+# ignore pyenv local settings
+.python-version

From b42396340e309b1197058219bdb79395957877fc Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Mon, 23 Nov 2020 10:57:38 +0100
Subject: [PATCH 08/40] Find correct zeek namespace in debug logger macros.

These macros forward to functionality in `zeek::detail::debug_logger`
and are not intended for customization. This patch fixes the macros to
always use `::zeek::detail::debug_logger` as without the leading `::`
lookup could happen in any potentially local namespace `zeek` which does
not need to provide this symbol.

This closes zeek/spicy#597.
---
 src/DebugLogger.h | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index f7c3a04e55..736ade5aac 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -12,15 +12,15 @@
 #include <set>
 
 #define DBG_LOG(stream, args...) \
-	if ( zeek::detail::debug_logger.IsEnabled(stream) ) \
-		zeek::detail::debug_logger.Log(stream, args)
+	if ( ::zeek::detail::debug_logger.IsEnabled(stream) ) \
+		::zeek::detail::debug_logger.Log(stream, args)
 #define DBG_LOG_VERBOSE(stream, args...) \
-	if ( zeek::detail::debug_logger.IsVerbose() && zeek::detail::debug_logger.IsEnabled(stream) ) \
-		zeek::detail::debug_logger.Log(stream, args)
-#define DBG_PUSH(stream) zeek::detail::debug_logger.PushIndent(stream)
-#define DBG_POP(stream) zeek::detail::debug_logger.PopIndent(stream)
+	if ( ::zeek::detail::debug_logger.IsVerbose() && ::zeek::detail::debug_logger.IsEnabled(stream) ) \
+		::zeek::detail::debug_logger.Log(stream, args)
+#define DBG_PUSH(stream) ::zeek::detail::debug_logger.PushIndent(stream)
+#define DBG_POP(stream) ::zeek::detail::debug_logger.PopIndent(stream)
 
-#define PLUGIN_DBG_LOG(plugin, args...) zeek::detail::debug_logger.Log(plugin, args)
+#define PLUGIN_DBG_LOG(plugin, args...) ::zeek::detail::debug_logger.Log(plugin, args)
 
 ZEEK_FORWARD_DECLARE_NAMESPACED(Plugin, zeek, plugin);
 

From b8e49316818b452f02b087ff845fd501997662ad Mon Sep 17 00:00:00 2001
From: Dominik Charousset <dominik.charousset@corelight.com>
Date: Mon, 23 Nov 2020 17:04:47 +0100
Subject: [PATCH 09/40] Simplify CI dependencies and setup

---
 ci/debian-9/Dockerfile     |  5 ++---
 ci/ubuntu-16.04/Dockerfile | 12 +++++-------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/ci/debian-9/Dockerfile b/ci/debian-9/Dockerfile
index e8fcd03e16..e2dabd95d0 100644
--- a/ci/debian-9/Dockerfile
+++ b/ci/debian-9/Dockerfile
@@ -28,9 +28,6 @@ RUN apt-get update && apt-get -y install \
     libc++abi-7-dev \
   && rm -rf /var/lib/apt/lists/*
 
-RUN update-alternatives --install /usr/bin/cc cc /usr/bin/clang-7 100
-RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-7 100
-
 # Many distros adhere to PEP 394's recommendation for `python` = `python2` so
 # this is a simple workaround until we drop Python 2 support and explicitly
 # use `python3` for all invocations (e.g. in shebangs).
@@ -39,4 +36,6 @@ RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
 
 RUN pip install junit2html
 
+ENV CC=/usr/bin/clang-7
+ENV CXX=/usr/bin/clang++-7
 ENV CXXFLAGS=-stdlib=libc++
diff --git a/ci/ubuntu-16.04/Dockerfile b/ci/ubuntu-16.04/Dockerfile
index 5eeda5894f..e094e584c5 100644
--- a/ci/ubuntu-16.04/Dockerfile
+++ b/ci/ubuntu-16.04/Dockerfile
@@ -15,6 +15,9 @@ RUN apt-get update && apt-get -y install \
     python3 \
     python3-dev \
     python3-pip\
+    clang-8 \
+    libc++-8-dev \
+    libc++abi-8-dev \
     swig \
     zlib1g-dev \
     libkrb5-dev \
@@ -25,12 +28,6 @@ RUN apt-get update && apt-get -y install \
     xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-RUN wget -q https://releases.llvm.org/9.0.0/clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-RUN mkdir /clang-9
-RUN tar --strip-components=1 -C /clang-9 -xvf clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-RUN update-alternatives --install /usr/bin/cc cc /clang-9/bin/clang 100
-RUN update-alternatives --install /usr/bin/c++ c++ /clang-9/bin/clang++ 100
-
 # Many distros adhere to PEP 394's recommendation for `python` = `python2` so
 # this is a simple workaround until we drop Python 2 support and explicitly
 # use `python3` for all invocations (e.g. in shebangs).
@@ -39,5 +36,6 @@ RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
 
 RUN pip install junit2html
 
+ENV CC=/usr/bin/clang-8
+ENV CXX=/usr/bin/clang++-8
 ENV CXXFLAGS=-stdlib=libc++
-ENV LD_LIBRARY_PATH=/clang-9/lib

From 3ebfcdf0aec581faf4c011f66c12d3ed2c55df23 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 6 Nov 2020 11:45:23 +0000
Subject: [PATCH 10/40] Add test creating multiple plugins with load
 dependencies.

If we load plugins purely alphabetically, the 1st Zeek run in the test
will success while the 2nd will fail.
---
 .../plugins.plugin-load-dependency/output     | 18 +++++++++++
 .../btest/plugins/plugin-load-dependency.zeek | 31 +++++++++++++++++++
 .../plugin-load-dependency/.btest-ignore      |  0
 .../plugin-load-dependency/1/src/Plugin.cc    | 23 ++++++++++++++
 .../plugin-load-dependency/1/src/Plugin.h     | 17 ++++++++++
 .../plugin-load-dependency/2/src/Plugin.cc    | 21 +++++++++++++
 .../plugin-load-dependency/2/src/Plugin.h     | 17 ++++++++++
 .../plugin-load-dependency/3/src/Plugin.cc    | 23 ++++++++++++++
 .../plugin-load-dependency/3/src/Plugin.h     | 17 ++++++++++
 9 files changed, 167 insertions(+)
 create mode 100644 testing/btest/Baseline/plugins.plugin-load-dependency/output
 create mode 100644 testing/btest/plugins/plugin-load-dependency.zeek
 create mode 100644 testing/btest/plugins/plugin-load-dependency/.btest-ignore
 create mode 100644 testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc
 create mode 100644 testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h
 create mode 100644 testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc
 create mode 100644 testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h
 create mode 100644 testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc
 create mode 100644 testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h

diff --git a/testing/btest/Baseline/plugins.plugin-load-dependency/output b/testing/btest/Baseline/plugins.plugin-load-dependency/output
new file mode 100644
index 0000000000..e788232bd8
--- /dev/null
+++ b/testing/btest/Baseline/plugins.plugin-load-dependency/output
@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0)
+Testing::Plugin3 - Plugin3 has a load dependency on Plugin2 (dynamic, version 1.0.0)
+in Plugin2
+in Plugin3
+
+Testing::Plugin1 - Plugin1 has a load dependency on Plugin2 (dynamic, version 1.0.0)
+Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0)
+in Plugin1
+in Plugin2
+
+Testing::Plugin1 - Plugin1 has a load dependency on Plugin2 (dynamic, version 1.0.0)
+Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0)
+Testing::Plugin3 - Plugin3 has a load dependency on Plugin2 (dynamic, version 1.0.0)
+in Plugin1
+in Plugin2
+in Plugin2
+in Plugin3
diff --git a/testing/btest/plugins/plugin-load-dependency.zeek b/testing/btest/plugins/plugin-load-dependency.zeek
new file mode 100644
index 0000000000..d9d78d7ebb
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency.zeek
@@ -0,0 +1,31 @@
+# @TEST-EXEC: mkdir 1
+# @TEST-EXEC: cd 1 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin1
+# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/1 .
+# @TEST-EXEC: cd 1 && ./configure --zeek-dist=${DIST} && make
+
+# @TEST-EXEC: mkdir 2
+# @TEST-EXEC: cd 2 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin2
+# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/2 .
+# @TEST-EXEC: cd 2 && ./configure --zeek-dist=${DIST} && make
+
+# @TEST-EXEC: mkdir 3
+# @TEST-EXEC: cd 3 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin3
+# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/3 .
+# @TEST-EXEC: cd 3 && ./configure --zeek-dist=${DIST} && make
+
+# The following run will only work if Zeek loads plugin2 before plugin3 (which
+# by alphabetical loading will be the case)
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -b -N Testing::Plugin3 Testing::Plugin2 | grep -v Zeek:: | sort >> output
+#
+# @TEST-EXEC: echo >>output
+#
+# The following run will only work if Zeek loads plugin2 before plugin1 (which
+# by alphabetical loading will not be the case).
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -b -N Testing::Plugin1 Testing::Plugin2 | grep -v Zeek:: | sort >> output
+#
+# @TEST-EXEC: echo >>output
+#
+# Finally, try it with self-discovery of all three plugins too.
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -N | grep -v Zeek:: | sort >> output
+#
+# @TEST-EXEC: btest-diff output
diff --git a/testing/btest/plugins/plugin-load-dependency/.btest-ignore b/testing/btest/plugins/plugin-load-dependency/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc
new file mode 100644
index 0000000000..76501c4bc9
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc
@@ -0,0 +1,23 @@
+
+#include "Plugin.h"
+
+namespace btest::plugin::Testing_Plugin1 { Plugin plugin; }
+
+using namespace btest::plugin::Testing_Plugin1;
+
+extern void Plugin2_foo();
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	zeek::plugin::Configuration config;
+	config.name = "Testing::Plugin1";
+	config.description = "Plugin1 has a load dependency on Plugin2";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+
+	printf("in Plugin1\n");
+	Plugin2_foo();
+
+	return config;
+	}
diff --git a/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h
new file mode 100644
index 0000000000..18ccb8d319
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h
@@ -0,0 +1,17 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Testing_Plugin1 {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
diff --git a/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc
new file mode 100644
index 0000000000..fd6a28155e
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc
@@ -0,0 +1,21 @@
+
+#include "Plugin.h"
+
+namespace btest::plugin::Testing_Plugin2 { Plugin plugin; }
+
+using namespace btest::plugin::Testing_Plugin2;
+
+void Plugin2_foo() {
+    printf("in Plugin2\n");
+}
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	zeek::plugin::Configuration config;
+	config.name = "Testing::Plugin2";
+	config.description = "Plugin2 provides a load dependency for Plugin1 and Plugin3";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+	return config;
+	}
diff --git a/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h
new file mode 100644
index 0000000000..8e9c69aecb
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h
@@ -0,0 +1,17 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Testing_Plugin2 {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
diff --git a/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc
new file mode 100644
index 0000000000..68d878ad55
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc
@@ -0,0 +1,23 @@
+
+#include "Plugin.h"
+
+namespace btest::plugin::Testing_Plugin3 { Plugin plugin; }
+
+using namespace btest::plugin::Testing_Plugin3;
+
+extern void Plugin2_foo();
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	zeek::plugin::Configuration config;
+	config.name = "Testing::Plugin3";
+	config.description = "Plugin3 has a load dependency on Plugin2";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+
+	printf("in Plugin3\n");
+	Plugin2_foo();
+
+	return config;
+	}
diff --git a/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h
new file mode 100644
index 0000000000..b6b692f877
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h
@@ -0,0 +1,17 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Testing_Plugin3 {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}

From df40e82fd63f47c6032031fe144f865e5985f02a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 6 Nov 2020 11:58:41 +0000
Subject: [PATCH 11/40] When attempting to activate a plugin, load dynamic
 libraries first.

Just moving code. This is so that we can abort if dlopen() fails without
having changed any other state yet.
---
 src/plugin/Manager.cc | 104 +++++++++++++++++++++---------------------
 1 file changed, 52 insertions(+), 52 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 6f20c7b516..8598e3fe3d 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -175,58 +175,6 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 	DBG_LOG(DBG_PLUGINS, "Activating plugin %s", name.c_str());
 
-	// Add the "scripts" and "bif" directories to ZEEKPATH.
-	std::string scripts = dir + "scripts";
-
-	if ( util::is_dir(scripts) )
-		{
-		DBG_LOG(DBG_PLUGINS, "  Adding %s to ZEEKPATH", scripts.c_str());
-		util::detail::add_to_zeek_path(scripts);
-		}
-
-	string init;
-
-	// First load {scripts}/__preload__.zeek automatically.
-	for (const string& ext : util::detail::script_extensions)
-		{
-		init = dir + "scripts/__preload__" + ext;
-
-		if ( util::is_file(init) )
-			{
-			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
-			util::detail::warn_if_legacy_script(init);
-			scripts_to_load.push_back(init);
-			break;
-			}
-		}
-
-	// Load {bif,scripts}/__load__.zeek automatically.
-	for (const string& ext : util::detail::script_extensions)
-		{
-		init = dir + "lib/bif/__load__" + ext;
-
-		if ( util::is_file(init) )
-			{
-			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
-			util::detail::warn_if_legacy_script(init);
-			scripts_to_load.push_back(init);
-			break;
-			}
-		}
-
-	for (const string& ext : util::detail::script_extensions)
-		{
-		init = dir + "scripts/__load__" + ext;
-
-		if ( util::is_file(init) )
-			{
-			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
-			util::detail::warn_if_legacy_script(init);
-			scripts_to_load.push_back(init);
-			break;
-			}
-		}
-
 	// Load shared libraries.
 
 	string dypattern = dir + "/lib/*." + HOST_ARCHITECTURE + DYNAMIC_PLUGIN_SUFFIX;
@@ -288,6 +236,58 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 		DBG_LOG(DBG_PLUGINS, "  No shared library found");
 		}
 
+	// Add the "scripts" and "bif" directories to ZEEKPATH.
+	std::string scripts = dir + "scripts";
+
+	if ( util::is_dir(scripts) )
+		{
+		DBG_LOG(DBG_PLUGINS, "  Adding %s to ZEEKPATH", scripts.c_str());
+		util::detail::add_to_zeek_path(scripts);
+		}
+
+	string init;
+
+	// First load {scripts}/__preload__.zeek automatically.
+	for (const string& ext : util::detail::script_extensions)
+		{
+		init = dir + "scripts/__preload__" + ext;
+
+		if ( util::is_file(init) )
+			{
+			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
+			util::detail::warn_if_legacy_script(init);
+			scripts_to_load.push_back(init);
+			break;
+			}
+		}
+
+	// Load {bif,scripts}/__load__.zeek automatically.
+	for (const string& ext : util::detail::script_extensions)
+		{
+		init = dir + "lib/bif/__load__" + ext;
+
+		if ( util::is_file(init) )
+			{
+			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
+			util::detail::warn_if_legacy_script(init);
+			scripts_to_load.push_back(init);
+			break;
+			}
+		}
+
+	for (const string& ext : util::detail::script_extensions)
+		{
+		init = dir + "scripts/__load__" + ext;
+
+		if ( util::is_file(init) )
+			{
+			DBG_LOG(DBG_PLUGINS, "  Loading %s", init.c_str());
+			util::detail::warn_if_legacy_script(init);
+			scripts_to_load.push_back(init);
+			break;
+			}
+		}
+
 	// Mark this plugin as activated by clearing the path.
 	m->second.clear();
 

From b780bc146f88d7a829fa94dd7c7efe0036b4ad30 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 24 Nov 2020 17:00:20 +0000
Subject: [PATCH 12/40] Fix use of deprecated functionality in test.

---
 testing/btest/plugins/bifs-and-scripts.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/plugins/bifs-and-scripts.sh b/testing/btest/plugins/bifs-and-scripts.sh
index 911d279c11..345c1faa8f 100644
--- a/testing/btest/plugins/bifs-and-scripts.sh
+++ b/testing/btest/plugins/bifs-and-scripts.sh
@@ -51,7 +51,7 @@ EOF
 cat >src/foo.bif <<EOF
 function hello_plugin_world%(%): string
         %{
-        return new StringVal("Hello from the plugin!");
+        return make_intrusive<StringVal>("Hello from the plugin!");
         %}
 
 event plugin_event%(foo: count%);

From e70b308c1688f3e2d53c71cd44ea11827a329897 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 24 Nov 2020 12:05:03 -0800
Subject: [PATCH 13/40] Update CMakeLists.txt to make portability symlink
 absolute

Co-authored-by: Jon Siwek <jsiwek@corelight.com>
---
 CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1a62c9a5b9..8b92e39201 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -120,7 +120,7 @@ if ( NOT BINARY_PACKAGING_MODE )
     # before Zeek 3.0.
     _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek")
     _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek")
-    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_LIBDIR}/zeek")
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_FULL_LIBDIR}/zeek")
 endif ()
 
 if ( ZEEK_SANITIZERS )

From ea841f32b1284308442fa3ebdd85b38e6eb3a720 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 15:43:55 -0800
Subject: [PATCH 14/40] Update submodule(s) [nomail]

---
 auxil/btest | 2 +-
 doc         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auxil/btest b/auxil/btest
index a0f317ec29..03b2fe6fa9 160000
--- a/auxil/btest
+++ b/auxil/btest
@@ -1 +1 @@
-Subproject commit a0f317ec29461f7035d27b9f4f0cab389cc345a4
+Subproject commit 03b2fe6fa958a8519cb22bbf230b8a8e081a50c9
diff --git a/doc b/doc
index d76c85f56f..88b48fe09d 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit d76c85f56ff7d64603eebbc49ed06ef2b816ab06
+Subproject commit 88b48fe09d355239afd74a36d4f948629ee0e95d

From fe45f5335a782fb60281160f30f24b43377c57c0 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 24 Nov 2020 17:00:41 +0000
Subject: [PATCH 15/40] Retry loading plugins on failure to resolve to
 dependencies.

Closes #1179.
---
 src/plugin/Manager.cc | 84 ++++++++++++++++++++++++++++++-------------
 src/plugin/Manager.h  | 34 +++++++++---------
 src/zeek-setup.cc     | 13 ++-----
 3 files changed, 79 insertions(+), 52 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 8598e3fe3d..614e100ca1 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -140,7 +140,7 @@ void Manager::SearchDynamicPlugins(const std::string& dir)
 	closedir(d);
 	}
 
-bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found)
+bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found, std::vector<std::string>* errors)
 	{
 	dynamic_plugin_map::iterator m = dynamic_plugins.find(util::strtolower(name));
 
@@ -160,7 +160,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 				return true;
 			}
 
-		reporter->Error("plugin %s is not available", name.c_str());
+		errors->push_back(util::fmt("plugin %s is not available", name.c_str()));
 		return false;
 		}
 
@@ -192,16 +192,19 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 			current_plugin = nullptr;
 			current_dir = dir.c_str();
 			current_sopath = path;
-			void* hdl = dlopen(path, RTLD_LAZY | RTLD_GLOBAL);
+			void* hdl = dlopen(path, RTLD_NOW | RTLD_GLOBAL);
 
 			if ( ! hdl )
 				{
 				const char* err = dlerror();
-				reporter->FatalError("cannot load plugin library %s: %s", path, err ? err : "<unknown error>");
+				errors->push_back(util::fmt("cannot load plugin library %s: %s", path, err ? err : "<unknown error>"));
+				return false;
 				}
 
-			if ( ! current_plugin )
-				reporter->FatalError("load plugin library %s did not instantiate a plugin", path);
+			if ( ! current_plugin ) {
+				errors->push_back(util::fmt("load plugin library %s did not instantiate a plugin", path));
+				return false;
+			}
 
 			current_plugin->SetDynamic(true);
 			current_plugin->DoConfigure();
@@ -217,9 +220,11 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			// Make sure the name the plugin reports is consistent with
 			// what we expect from its magic file.
-			if ( util::strtolower(current_plugin->Name()) != util::strtolower(name) )
-				reporter->FatalError("inconsistent plugin name: %s vs %s",
-						     current_plugin->Name().c_str(), name.c_str());
+			if ( util::strtolower(current_plugin->Name()) != util::strtolower(name) ) {
+				errors->push_back(util::fmt("inconsistent plugin name: %s vs %s",
+						     current_plugin->Name().c_str(), name.c_str()));
+				return false;
+			}
 
 			current_dir = nullptr;
 			current_sopath = nullptr;
@@ -294,37 +299,66 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 	return true;
 	}
 
-bool Manager::ActivateDynamicPlugin(const std::string& name)
+void Manager::ActivateDynamicPlugin(const std::string& name)
 	{
-	if ( ! ActivateDynamicPluginInternal(name) )
-		return false;
-
-	UpdateInputFiles();
-	return true;
+	std::vector<std::string> errors;
+	if ( ActivateDynamicPluginInternal(name, false, &errors) )
+		UpdateInputFiles();
+	else
+		// Reschedule for another attempt later.
+		requested_plugins.insert(std::move(name));
 	}
 
-bool Manager::ActivateDynamicPlugins(bool all)
-	{
+void Manager::ActivateDynamicPlugins(bool all) {
+	// Tracks plugins we need to activate as pairs of their names and booleans
+	// indicating whether an activation failure is to be deemed a fatal error.
+	std::set<std::pair<std::string, bool>> plugins_to_activate;
+
+	// Activate plugins that were specifically requested.
+	for ( const auto& x : requested_plugins )
+		plugins_to_activate.emplace(x, false);
+
 	// Activate plugins that our environment tells us to.
 	vector<string> p;
 	util::tokenize_string(util::zeek_plugin_activate(), ",", &p);
 
-	for ( size_t n = 0; n < p.size(); ++n )
-		ActivateDynamicPluginInternal(p[n], true);
+	for ( const auto& x : p )
+		plugins_to_activate.emplace(x, true);
 
 	if ( all )
 		{
-		for ( dynamic_plugin_map::const_iterator i = dynamic_plugins.begin();
-		      i != dynamic_plugins.end(); i++ )
+		// Activate all other ones we discovered.
+		for ( const auto& x : dynamic_plugins )
+			plugins_to_activate.emplace(x.first, false);
+		}
+
+	// Now we keep iterating over all the plugins, trying to load them, for as
+	// long as we're successful for at least one further of them each round.
+	// Doing so ensures that we can resolve (non-cyclic) load dependencies
+	// independent of any particular order.
+	while ( ! plugins_to_activate.empty() ) {
+		std::vector<std::string> errors;
+		auto plugins_left = plugins_to_activate;
+
+		for ( const auto& x : plugins_to_activate )
 			{
-			if ( ! ActivateDynamicPluginInternal(i->first) )
-				return false;
+			if ( ActivateDynamicPluginInternal(x.first, x.second, &errors) )
+				plugins_left.erase(x);
 			}
+
+		if ( plugins_left.size() == plugins_to_activate.size() )
+			{
+			// Could not load a single further plugin this round, that's fatal.
+			for ( const auto& msg : errors )
+				reporter->Error("%s", msg.c_str());
+
+			reporter->FatalError("aborting after plugin errors");
+			}
+
+		plugins_to_activate = std::move(plugins_left);
 		}
 
 	UpdateInputFiles();
-
-	return true;
 	}
 
 void Manager::UpdateInputFiles()
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index d34c5db07e..268a5b3341 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -2,9 +2,10 @@
 
 #pragma once
 
-#include <utility>
 #include <map>
+#include <set>
 #include <string_view>
+#include <utility>
 
 #include "zeek/plugin/Plugin.h"
 #include "zeek/plugin/Component.h"
@@ -79,28 +80,25 @@ public:
 	 * Activating a plugin involves loading its dynamic module, making its
 	 * bifs available, and adding its script paths to ZEEKPATH.
 	 *
+	 * This attempts to activiate the plugin immediately. If that fails for
+	 * some reason, we schedule it to be retried later with
+	 * ActivateDynamicPlugins().
+	 *
 	 * @param name The name of the plugin, as found previously by
-	 * SearchPlugin().
-	 *
-	 * @return True if the plugin has been loaded successfully.
-	 *
+	·* SearchPlugin().
 	 */
-	bool ActivateDynamicPlugin(const std::string& name);
+	void ActivateDynamicPlugin(const std::string& name);
 
 	/**
-	 * Activates plugins that SearchDynamicPlugins() has previously discovered.
-	 * The effect is the same all calling \a ActivePlugin(name) for each plugin.
+	 * Activates plugins that SearchDynamicPlugins() has previously discovered,
+	 * including any that have failed to load in prior calls to
+	 * ActivateDynamicPlugin(). Aborts if any plugins fails to activate.
 	 *
 	 * @param all If true, activates all plugins that are found. If false,
 	 * activates only those that should always be activated unconditionally,
-	 * as specified via the ZEEK_PLUGIN_ACTIVATE enviroment variable. In other
-	 * words, it's \c true in standard mode and \c false in bare mode.
-	 *
-	 * @return True if all plugins have been loaded successfully. If one
-	 * fails to load, the method stops there without loading any further ones
-	 * and returns false.
+	 * as specified via the ZEEK_PLUGIN_ACTIVATE environment variable. In other
 	 */
-	bool ActivateDynamicPlugins(bool all);
+	void ActivateDynamicPlugins(bool all);
 
 	/**
 	 * First-stage initializion of the manager. This is called early on
@@ -413,11 +411,15 @@ public:
 	static void RegisterBifFile(const char* plugin, bif_init_func c);
 
 private:
-	bool ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found = false);
+	bool ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found, std::vector<std::string>* errors);
 	void UpdateInputFiles();
 	void MetaHookPre(HookType hook, const HookArgumentList& args) const;
 	void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) const;
 
+	// Plugins that were explicitly requested to be activated, but failed to
+	// load at first.
+	std::set<std::string> requested_plugins;
+
 	 // All found dynamic plugins, mapping their names to base directory.
 	using dynamic_plugin_map = std::map<std::string, std::string>;
 	dynamic_plugin_map dynamic_plugins;
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 2c0aece6bf..42c0abe3cb 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -604,17 +604,8 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 	file_mgr->InitPreScript();
 	zeekygen_mgr->InitPreScript();
 
-	bool missing_plugin = false;
-
-	for ( set<string>::const_iterator i = requested_plugins.begin();
-	      i != requested_plugins.end(); i++ )
-		{
-		if ( ! plugin_mgr->ActivateDynamicPlugin(*i) )
-			missing_plugin = true;
-		}
-
-	if ( missing_plugin )
-		reporter->FatalError("Failed to activate requested dynamic plugin(s).");
+	for ( const auto& x : requested_plugins )
+		plugin_mgr->ActivateDynamicPlugin(std::move(x));
 
 	plugin_mgr->ActivateDynamicPlugins(! options.bare_mode);
 

From 459dc91463bf56c298bc3bea3ab9bf99a33ee9fd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:17:13 -0800
Subject: [PATCH 16/40] Update all submodules that have Python 2 EOL changes

---
 auxil/broker                | 2 +-
 auxil/btest                 | 2 +-
 auxil/netcontrol-connectors | 2 +-
 auxil/zeekctl               | 2 +-
 cmake                       | 2 +-
 doc                         | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/auxil/broker b/auxil/broker
index 2ce76b8bda..4b1acd1218 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 2ce76b8bda0db04d807fe85f7b959191eac84fe2
+Subproject commit 4b1acd1218f6000c6ceb605f7ea3935bc489a895
diff --git a/auxil/btest b/auxil/btest
index 03b2fe6fa9..288d5ef7f4 160000
--- a/auxil/btest
+++ b/auxil/btest
@@ -1 +1 @@
-Subproject commit 03b2fe6fa958a8519cb22bbf230b8a8e081a50c9
+Subproject commit 288d5ef7f45e889e42e5a8e036873d9a11e0d5f8
diff --git a/auxil/netcontrol-connectors b/auxil/netcontrol-connectors
index 92d1bee12b..a81f860118 160000
--- a/auxil/netcontrol-connectors
+++ b/auxil/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 92d1bee12b0d92d36d784367c3c33646a7db990d
+Subproject commit a81f860118c1c981be0fab77d1f345ebab85460d
diff --git a/auxil/zeekctl b/auxil/zeekctl
index d8391deb06..6c25426bf7 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit d8391deb06e77515cfd73687eda74870f20e342a
+Subproject commit 6c25426bf773fe3291b8e9d840a48b24273fa549
diff --git a/cmake b/cmake
index 3ee51ab551..fa6d5d2573 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 3ee51ab5515f0f3089602d766aad737eb8b2c093
+Subproject commit fa6d5d25739f60cf0e55f7a5dc65a23c07462ece
diff --git a/doc b/doc
index 88b48fe09d..d76c85f56f 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 88b48fe09d355239afd74a36d4f948629ee0e95d
+Subproject commit d76c85f56ff7d64603eebbc49ed06ef2b816ab06

From 33a55a04c364e1ad5e3fa97dc4d5af9e5792150b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:20:02 -0800
Subject: [PATCH 17/40] Update documentation for Python >= 3.5 requirement

---
 NEWS            | 2 ++
 src/strings.bif | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 50458e3dd0..a020f85851 100644
--- a/NEWS
+++ b/NEWS
@@ -155,6 +155,8 @@ Removed Functionality
   ``connection_state_remove`` handler can now be resolved with a less-confusing
   approach: see the ``Conn::register_removal_hook`` function.
 
+- Python 2 is no longer supported.  Python 3.5 is the new minimum requirement.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/src/strings.bif b/src/strings.bif
index ecabe195c8..7e4bbfdfcd 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -1405,7 +1405,7 @@ function swap_case%(str: string%) : string
 	%}
 
 ## Converts a string to Title Case. This changes the first character of each sequence of non-space characters
-## in the string to be capitalized. See https://docs.python.org/2/library/stdtypes.html#str.title for more info.
+## in the string to be capitalized. See https://docs.python.org/3/library/stdtypes.html#str.title for more info.
 ##
 ## str: The string to convert.
 ##

From eeec219a66ed89235093fb63753d6baf6c21de78 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:23:05 -0800
Subject: [PATCH 18/40] Update CMake logic to enforce Python >= 3.5

---
 CMakeLists.txt | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8b92e39201..e8ce79519d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -236,6 +236,7 @@ if (NOT SED_EXE)
     endif ()
 endif ()
 
+list(APPEND Python_ADDITIONAL_VERSIONS 3)
 FindRequiredPackage(PythonInterp)
 FindRequiredPackage(FLEX)
 FindRequiredPackage(BISON)
@@ -282,6 +283,12 @@ if (MISSING_PREREQS)
     message(FATAL_ERROR "Configuration aborted due to missing prerequisites")
 endif ()
 
+set(ZEEK_PYTHON_MIN 3.5.0)
+
+if ( PYTHON_VERSION_STRING VERSION_LESS ${ZEEK_PYTHON_MIN} )
+    message(FATAL_ERROR "Python ${ZEEK_PYTHON_MIN} or greater is required.")
+endif ()
+
 if ( CAF_ROOT_DIR )
   find_package(CAF COMPONENTS core io openssl REQUIRED)
 endif ()
@@ -530,7 +537,7 @@ endif ()
 
 if (INSTALL_ZEEKCTL)
     # CPack RPM Generator may not automatically detect this
-    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
+    set(CPACK_RPM_PACKAGE_REQUIRES "python >= ${ZEEK_PYTHON_MIN}")
 endif ()
 
 # If this CMake project is a sub-project of another, we will not

From 9717c623c22cc6ad3ab34db4fe6a6f6b6ed2a2e8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:27:44 -0800
Subject: [PATCH 19/40] Update Python invocations to explicit `python3`

---
 testing/btest/coverage/find-bro-logs.test         | 4 ++--
 testing/btest/scripts/base/utils/active-http.test | 4 ++--
 testing/scripts/coverage-calc                     | 2 +-
 testing/scripts/httpd.py                          | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/testing/btest/coverage/find-bro-logs.test b/testing/btest/coverage/find-bro-logs.test
index 82b5df2445..01e822deef 100644
--- a/testing/btest/coverage/find-bro-logs.test
+++ b/testing/btest/coverage/find-bro-logs.test
@@ -4,7 +4,7 @@
 #
 # If this test fails, then the "Log Files" documentation page should be updated.
 
-# @TEST-REQUIRES: which python
+# @TEST-REQUIRES: which python3
 # @TEST-EXEC: bash %INPUT
 # @TEST-EXEC: btest-diff out
 
@@ -15,7 +15,7 @@ if [ ! -d "${BROSCRIPTS}" ]; then
     exit 1
 fi
 
-python find_logs.py "${BROSCRIPTS}" | sort > out
+python3 find_logs.py "${BROSCRIPTS}" | sort > out
 
 @TEST-START-FILE find_logs.py
 import os, sys
diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test
index ff80dc5bf2..36f5ec9eab 100644
--- a/testing/btest/scripts/base/utils/active-http.test
+++ b/testing/btest/scripts/base/utils/active-http.test
@@ -1,7 +1,7 @@
-# @TEST-REQUIRES: which python
+# @TEST-REQUIRES: which python3
 # @TEST-REQUIRES: which curl
 #
-# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 2 --addr=127.0.0.1
+# @TEST-EXEC: btest-bg-run httpd python3 $SCRIPTS/httpd.py --max 2 --addr=127.0.0.1
 # @TEST-EXEC: sleep 3
 # @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT
 # @TEST-EXEC: btest-bg-wait 15
diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc
index 3645f57144..016cfff5c4 100755
--- a/testing/scripts/coverage-calc
+++ b/testing/scripts/coverage-calc
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python3
 
 # This script aggregates many files containing Zeek script coverage information
 # into a single file and reports the overall coverage information. Usage:
diff --git a/testing/scripts/httpd.py b/testing/scripts/httpd.py
index 3576f09d1a..c5cc4507b7 100755
--- a/testing/scripts/httpd.py
+++ b/testing/scripts/httpd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python3
 
 try:
     # Python 2

From 7d68f2ce9dd50c634b8dfb2b4f34d053918c805e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:28:29 -0800
Subject: [PATCH 20/40] Remove Python 2 compatibility logic in httpd test
 script

---
 testing/scripts/httpd.py | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/testing/scripts/httpd.py b/testing/scripts/httpd.py
index c5cc4507b7..7ecfb636e9 100755
--- a/testing/scripts/httpd.py
+++ b/testing/scripts/httpd.py
@@ -1,11 +1,6 @@
 #! /usr/bin/env python3
 
-try:
-    # Python 2
-    import BaseHTTPServer
-except ImportError:
-    # Python 3
-    import http.server as BaseHTTPServer
+import http.server as BaseHTTPServer
 
 class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 

From 2b3d216c972ecf4d96163cdb55eaccff7139161e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Nov 2020 20:35:31 -0800
Subject: [PATCH 21/40] Update CI scripts to remove `python` vs `python3`
 workarounds

---
 ci/centos-7/Dockerfile       | 8 +-------
 ci/centos-8/Dockerfile       | 8 +-------
 ci/debian-10/Dockerfile      | 8 +-------
 ci/debian-9-32bit/Dockerfile | 8 +-------
 ci/debian-9/Dockerfile       | 8 +-------
 ci/fedora-31/Dockerfile      | 8 +-------
 ci/fedora-32/Dockerfile      | 8 +-------
 ci/fedora-33/Dockerfile      | 8 +-------
 ci/freebsd/prepare.sh        | 1 -
 ci/ubuntu-16.04/Dockerfile   | 8 +-------
 ci/ubuntu-18.04/Dockerfile   | 8 +-------
 ci/ubuntu-20.04/Dockerfile   | 8 +-------
 12 files changed, 11 insertions(+), 78 deletions(-)

diff --git a/ci/centos-7/Dockerfile b/ci/centos-7/Dockerfile
index 759d08d19a..c5734f3653 100644
--- a/ci/centos-7/Dockerfile
+++ b/ci/centos-7/Dockerfile
@@ -38,13 +38,7 @@ RUN yum -y install \
     which \
   && yum clean all && rm -rf /var/cache/yum
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 
 RUN echo 'unset BASH_ENV PROMPT_COMMAND ENV' > /usr/bin/zeek-ci-env && \
     echo 'source /opt/rh/devtoolset-7/enable' >> /usr/bin/zeek-ci-env
diff --git a/ci/centos-8/Dockerfile b/ci/centos-8/Dockerfile
index 9a9df30a1e..ecdde92664 100644
--- a/ci/centos-8/Dockerfile
+++ b/ci/centos-8/Dockerfile
@@ -26,10 +26,4 @@ RUN dnf -y update && dnf -y install \
     which \
   && dnf clean all && rm -rf /var/cache/dnf
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
diff --git a/ci/debian-10/Dockerfile b/ci/debian-10/Dockerfile
index ea5a9ab0b3..a0f05b6f6a 100644
--- a/ci/debian-10/Dockerfile
+++ b/ci/debian-10/Dockerfile
@@ -25,10 +25,4 @@ RUN apt-get update && apt-get -y install \
     xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
diff --git a/ci/debian-9-32bit/Dockerfile b/ci/debian-9-32bit/Dockerfile
index 9ff5c2161d..3a6990216d 100644
--- a/ci/debian-9-32bit/Dockerfile
+++ b/ci/debian-9-32bit/Dockerfile
@@ -31,12 +31,6 @@ RUN apt-get update && apt-get -y install \
 RUN update-alternatives --install /usr/bin/cc cc /usr/bin/clang-7 100
 RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-7 100
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 
 ENV CXXFLAGS=-stdlib=libc++
diff --git a/ci/debian-9/Dockerfile b/ci/debian-9/Dockerfile
index e2dabd95d0..2fcde5fc01 100644
--- a/ci/debian-9/Dockerfile
+++ b/ci/debian-9/Dockerfile
@@ -28,13 +28,7 @@ RUN apt-get update && apt-get -y install \
     libc++abi-7-dev \
   && rm -rf /var/lib/apt/lists/*
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 
 ENV CC=/usr/bin/clang-7
 ENV CXX=/usr/bin/clang++-7
diff --git a/ci/fedora-31/Dockerfile b/ci/fedora-31/Dockerfile
index bc71a8a795..e9b24a9671 100644
--- a/ci/fedora-31/Dockerfile
+++ b/ci/fedora-31/Dockerfile
@@ -22,10 +22,4 @@ RUN yum -y install \
     zlib-devel \
   && yum clean all && rm -rf /var/cache/yum
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
diff --git a/ci/fedora-32/Dockerfile b/ci/fedora-32/Dockerfile
index 80b833fdb3..87e072753c 100644
--- a/ci/fedora-32/Dockerfile
+++ b/ci/fedora-32/Dockerfile
@@ -22,10 +22,4 @@ RUN yum -y install \
     zlib-devel \
   && yum clean all && rm -rf /var/cache/yum
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
diff --git a/ci/fedora-33/Dockerfile b/ci/fedora-33/Dockerfile
index 3124d85bf5..15d5f9244e 100644
--- a/ci/fedora-33/Dockerfile
+++ b/ci/fedora-33/Dockerfile
@@ -22,10 +22,4 @@ RUN yum -y install \
     zlib-devel \
   && yum clean all && rm -rf /var/cache/yum
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
diff --git a/ci/freebsd/prepare.sh b/ci/freebsd/prepare.sh
index 097c25e243..0ec60513cf 100755
--- a/ci/freebsd/prepare.sh
+++ b/ci/freebsd/prepare.sh
@@ -9,5 +9,4 @@ env ASSUME_ALWAYS_YES=YES pkg bootstrap
 pkg install -y bash git cmake swig bison python3 base64
 pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
 pkg install -y $pyver-sqlite3 $pyver-pip
-( cd && mkdir -p ./bin && ln -s /usr/local/bin/python3 ./bin/python )
 pip install junit2html
diff --git a/ci/ubuntu-16.04/Dockerfile b/ci/ubuntu-16.04/Dockerfile
index e094e584c5..5b65acd55f 100644
--- a/ci/ubuntu-16.04/Dockerfile
+++ b/ci/ubuntu-16.04/Dockerfile
@@ -28,13 +28,7 @@ RUN apt-get update && apt-get -y install \
     xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 
 ENV CC=/usr/bin/clang-8
 ENV CXX=/usr/bin/clang++-8
diff --git a/ci/ubuntu-18.04/Dockerfile b/ci/ubuntu-18.04/Dockerfile
index e298595f39..ed5ecb3b8e 100644
--- a/ci/ubuntu-18.04/Dockerfile
+++ b/ci/ubuntu-18.04/Dockerfile
@@ -29,11 +29,5 @@ RUN apt-get update && apt-get -y install \
     lcov \
   && rm -rf /var/lib/apt/lists/*
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 RUN gem install coveralls-lcov
diff --git a/ci/ubuntu-20.04/Dockerfile b/ci/ubuntu-20.04/Dockerfile
index 3c48668794..74cf7b571e 100644
--- a/ci/ubuntu-20.04/Dockerfile
+++ b/ci/ubuntu-20.04/Dockerfile
@@ -29,11 +29,5 @@ RUN apt-get update && apt-get -y install \
     lcov \
   && rm -rf /var/lib/apt/lists/*
 
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html
+RUN pip3 install junit2html
 RUN gem install coveralls-lcov

From 5ff44989c4f23e91cad8b2a007837d30104d483b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 25 Nov 2020 15:19:56 -0800
Subject: [PATCH 22/40] Update CentOS CI Dockerfiles to fix git/diff
 dependencies

---
 ci/centos-7/Dockerfile | 2 +-
 ci/centos-8/Dockerfile | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ci/centos-7/Dockerfile b/ci/centos-7/Dockerfile
index c5734f3653..5ab9df2d68 100644
--- a/ci/centos-7/Dockerfile
+++ b/ci/centos-7/Dockerfile
@@ -5,7 +5,7 @@ FROM centos:7
 RUN yum -y install \
     https://repo.ius.io/ius-release-el7.rpm \
     https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
-  && yum -y install git2u \
+  && yum -y install git224 \
   && yum clean all && rm -rf /var/cache/yum
 
 RUN yum -y install \
diff --git a/ci/centos-8/Dockerfile b/ci/centos-8/Dockerfile
index ecdde92664..9f4084c8b5 100644
--- a/ci/centos-8/Dockerfile
+++ b/ci/centos-8/Dockerfile
@@ -23,6 +23,7 @@ RUN dnf -y update && dnf -y install \
     zlib-devel \
     libsqlite3x-devel \
     findutils \
+    diffutils \
     which \
   && dnf clean all && rm -rf /var/cache/dnf
 

From acc76a816a87b5f116f7ed4a7b87165c0dced6c2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 25 Nov 2020 17:36:38 -0800
Subject: [PATCH 23/40] Remove Fedora 31 (EOL) from CI

---
 .cirrus.yml             |  7 -------
 ci/fedora-31/Dockerfile | 31 -------------------------------
 2 files changed, 38 deletions(-)
 delete mode 100644 ci/fedora-31/Dockerfile

diff --git a/.cirrus.yml b/.cirrus.yml
index 826890ad1c..f6530b155d 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -87,13 +87,6 @@ fedora32_task:
     << : *RESOURCES_TEMPLATE
   << : *CI_TEMPLATE
 
-fedora31_task:
-  container:
-    # Fedora 31 EOL: Nov 24 2020
-    dockerfile: ci/fedora-31/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
-
 centos8_task:
   container:
     # CentOS 8 EOL: May 31, 2029
diff --git a/ci/fedora-31/Dockerfile b/ci/fedora-31/Dockerfile
deleted file mode 100644
index bc71a8a795..0000000000
--- a/ci/fedora-31/Dockerfile
+++ /dev/null
@@ -1,31 +0,0 @@
-FROM fedora:31
-
-RUN yum -y install \
-    bison \
-    cmake \
-    diffutils \
-    findutils \
-    flex \
-    git \
-    gcc \
-    gcc-c++ \
-    libpcap-devel \
-    make \
-    openssl \
-    openssl-devel \
-    python3 \
-    python3-devel \
-    python3-pip\
-    sqlite \
-    swig \
-    which \
-    zlib-devel \
-  && yum clean all && rm -rf /var/cache/yum
-
-# Many distros adhere to PEP 394's recommendation for `python` = `python2` so
-# this is a simple workaround until we drop Python 2 support and explicitly
-# use `python3` for all invocations (e.g. in shebangs).
-RUN ln -sf /usr/bin/python3 /usr/local/bin/python
-RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip
-
-RUN pip install junit2html

From b57a725d242c1072bd18bba39452f4584d3955df Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 26 Nov 2020 17:34:00 +0000
Subject: [PATCH 24/40] Update submodule

 [nomail]
---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 88b48fe09d..7abc3ca176 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 88b48fe09d355239afd74a36d4f948629ee0e95d
+Subproject commit 7abc3ca176eb59cc7a06a6a7b4f7b3ba21e89d2d

From d0bfce6ff423ad5e9c1d8fdb96baf3154dd15895 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Fri, 27 Nov 2020 00:34:49 +0000
Subject: [PATCH 25/40] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 7abc3ca176..55103b01f3 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 7abc3ca176eb59cc7a06a6a7b4f7b3ba21e89d2d
+Subproject commit 55103b01f3ed7367a7ce59f3d1ca43046b5291b8

From 2cbd9ff905eab976f0e53cb4e989269a40671704 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 30 Nov 2020 10:41:58 -0800
Subject: [PATCH 26/40] Update submodule(s) [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 55103b01f3..cf54d5ce41 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 55103b01f3ed7367a7ce59f3d1ca43046b5291b8
+Subproject commit cf54d5ce4131eb1e41ce108dc297116275ff02f7

From 7477b3ea09730c34f42c94be9ca33c8d950ffcce Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 1 Dec 2020 09:56:02 +0000
Subject: [PATCH 27/40] Add a test for compiling with static broker/binpac

---
 .cirrus.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index f6530b155d..a4b11fd81a 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -3,7 +3,8 @@ btest_jobs: &BTEST_JOBS 4
 btest_retries: &BTEST_RETRIES 2
 memory: &MEMORY 4GB
 
-config: &CONFIG --build-type=release --enable-cpp-tests  --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
+config: &CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
+static_config: &STATIC_CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install
 sanitizer_config: &SANITIZER_CONFIG --build-type=debug --enable-cpp-tests --disable-broker-tests --sanitizers=address,undefined --enable-fuzzers --enable-coverage
 
 resources_template: &RESOURCES_TEMPLATE
@@ -113,6 +114,16 @@ debian10_task:
     << : *RESOURCES_TEMPLATE
   << : *CI_TEMPLATE
 
+debian10_static_task:
+  container:
+    # Just uses a recent/common distro to run a static compile test.
+    # Debian 10 EOL: June 2024
+    dockerfile: ci/debian-10-static/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
+
 debian9_task:
   container:
     # Debian 9 EOL: June 2022

From e27008ef26e851622ebbbd7708fbaac3da642dc7 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 5 Nov 2020 13:18:54 -0700
Subject: [PATCH 28/40] GH-1184: Add 'source' field to weird log denoting where
 the weird was reported

---
 doc                                           |   2 +-
 scripts/base/frameworks/notice/weird.zeek     |  31 +-
 src/Conn.cc                                   |   4 +-
 src/Conn.h                                    |   2 +-
 src/Reporter.cc                               |  22 +-
 src/Reporter.h                                |  13 +-
 src/Sessions.cc                               |   6 +-
 src/Sessions.h                                |   2 +-
 src/analyzer/Analyzer.cc                      |   2 +-
 .../protocol/ayiya/ayiya-analyzer.pac         |   4 +-
 .../protocol/bittorrent/BitTorrent.cc         |   2 +
 .../protocol/dce-rpc/dce_rpc-protocol.pac     |  12 +-
 .../protocol/gtpv1/gtpv1-analyzer.pac         |   2 +-
 src/analyzer/protocol/http/HTTP.cc            |   4 +-
 src/analyzer/protocol/imap/imap-analyzer.pac  |   4 +-
 src/analyzer/protocol/login/NVT.cc            |   2 +-
 src/analyzer/protocol/login/RSH.cc            |   4 +-
 src/analyzer/protocol/login/Rlogin.cc         |   4 +-
 .../protocol/socks/socks-analyzer.pac         |   4 +-
 .../protocol/ssl/proc-certificate.pac         |  75 +-
 .../protocol/ssl/tls-handshake-analyzer.pac   |   2 +-
 src/analyzer/protocol/tcp/ContentLine.cc      |   6 +-
 src/analyzer/protocol/tcp/TCP.cc              |  10 +-
 src/analyzer/protocol/tcp/TCP.h               |   3 +
 src/analyzer/protocol/teredo/Teredo.h         |   2 +-
 src/analyzer/protocol/vxlan/VXLAN.cc          |   2 +-
 src/analyzer/protocol/xmpp/xmpp-analyzer.pac  |   2 +-
 src/event.bif                                 |  19 +
 src/iosource/Packet.cc                        |   5 -
 src/iosource/Packet.h                         |   3 -
 src/iosource/PktSrc.cc                        |   2 +-
 src/packet_analysis/Analyzer.cc               |  14 +-
 src/packet_analysis/Analyzer.h                |  12 +
 src/packet_analysis/protocol/arp/ARP.cc       |   4 +-
 .../protocol/ethernet/Ethernet.cc             |   8 +-
 src/packet_analysis/protocol/fddi/FDDI.cc     |   2 +-
 src/packet_analysis/protocol/gre/GRE.cc       |  24 +-
 .../protocol/ieee802_11/IEEE802_11.cc         |   6 +-
 .../ieee802_11_radio/IEEE802_11_Radio.cc      |   4 +-
 src/packet_analysis/protocol/ip/IP.cc         |  30 +-
 .../protocol/iptunnel/IPTunnel.cc             |  10 +-
 .../protocol/linux_sll/LinuxSLL.cc            |   2 +-
 src/packet_analysis/protocol/mpls/MPLS.cc     |   2 +-
 src/packet_analysis/protocol/nflog/NFLog.cc   |   8 +-
 src/packet_analysis/protocol/null/Null.cc     |   2 +-
 .../protocol/ppp_serial/PPPSerial.cc          |   2 +-
 src/packet_analysis/protocol/pppoe/PPPoE.cc   |   2 +-
 src/packet_analysis/protocol/vlan/VLAN.cc     |   2 +-
 .../protocol/wrapper/Wrapper.cc               |  16 +-
 src/reporter.bif                              |  18 +-
 .../bifs.decode_base64_conn/weird.log         |  15 +-
 testing/btest/Baseline/core.checksums/bad.out | 107 +-
 .../btest/Baseline/core.checksums/good.out    |  71 +-
 .../Baseline/core.ip-broken-header/weird.log  | 933 +++++++++---------
 .../Baseline/core.negative-time/weird.log     |  11 +-
 testing/btest/Baseline/core.truncation/output |  83 +-
 .../core.tunnels.ip-in-ip-version/output      |  21 +-
 .../weird.log                                 |  13 +-
 .../weird.log                                 |  13 +-
 .../weird.log                                 |  11 +-
 .../weird.log                                 |  11 +-
 .../weird.log                                 |  63 +-
 .../weird.log                                 |  11 +-
 .../weird.log                                 |  13 +-
 .../weird.log                                 |  15 +-
 .../weird.log                                 |  11 +-
 .../packet-protocol-plugin/src/LLCDemo.cc     |   7 +-
 .../packet-protocol-plugin/src/LLCDemo.h      |   4 +-
 .../packet-protocol-plugin/src/RawLayer.cc    |   8 +-
 .../packet-protocol-plugin/src/RawLayer.h     |   4 +-
 testing/external/commit-hash.zeek-testing     |   2 +-
 .../external/commit-hash.zeek-testing-private |   2 +-
 72 files changed, 964 insertions(+), 890 deletions(-)

diff --git a/doc b/doc
index cf54d5ce41..53208a715f 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit cf54d5ce4131eb1e41ce108dc297116275ff02f7
+Subproject commit 53208a715f76067e56d7897ac3bbf67aefab72fe
diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek
index 3b5ffb6a4e..2817ee04f4 100644
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@@ -54,6 +54,10 @@ export {
 		## trouble to help identify which node is having trouble.
 		peer:   string  &log &optional &default=peer_description;
 
+		## The source of the weird. When reported by an analyzer, this
+		## should be the name of the analyzer.
+		source: string  &log &optional;
+
 		## This field is to be provided when a weird is generated for
 		## the purpose of deduplicating weirds. The identifier string
 		## should be unique for a single instance of the weird. This field
@@ -257,7 +261,7 @@ export {
 
 	## This table is used to track identifier and name pairs that should be
 	## temporarily ignored because the problem has already been reported.
-	## This helps reduce the volume of high volume weirds by only allowing 
+	## This helps reduce the volume of high volume weirds by only allowing
 	## a unique weird every ``create_expire`` interval.
 	global weird_ignore: set[string, string] &create_expire=10min &redef;
 
@@ -400,16 +404,19 @@ function weird(w: Weird::Info)
 	}
 
 # The following events come from core generated weirds typically.
-event conn_weird(name: string, c: connection, addl: string)
+event conn_weird(name: string, c: connection, addl: string, source: string)
 	{
 	local i = Info($ts=network_time(), $name=name, $conn=c, $identifier=id_string(c$id));
 	if ( addl != "" )
 		i$addl = addl;
 
+	if ( source != "" )
+		i$source = source;
+
 	weird(i);
 	}
 
-event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string)
+event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string)
 	{
 	local i = Info($ts=network_time(), $name=name, $uid=uid, $id=id,
 	               $identifier=id_string(id));
@@ -417,10 +424,13 @@ event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string)
 	if ( addl != "" )
 		i$addl = addl;
 
+	if ( source != "" )
+		i$source = source;
+
 	weird(i);
 	}
 
-event flow_weird(name: string, src: addr, dst: addr, addl: string)
+event flow_weird(name: string, src: addr, dst: addr, addl: string, source: string)
 	{
 	# We add the source and destination as port 0/unknown because that is
 	# what fits best here.
@@ -432,25 +442,34 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string)
 	if ( addl != "" )
 		i$addl = addl;
 
+	if ( source != "" )
+		i$source = source;
+
 	weird(i);
 	}
 
-event net_weird(name: string, addl: string)
+event net_weird(name: string, addl: string, source: string)
 	{
 	local i = Info($ts=network_time(), $name=name);
 
 	if ( addl != "" )
 		i$addl = addl;
 
+	if ( source != "" )
+		i$source = source;
+
 	weird(i);
 	}
 
-event file_weird(name: string, f: fa_file, addl: string)
+event file_weird(name: string, f: fa_file, addl: string, source: string)
 	{
 	local i = Info($ts=network_time(), $name=name, $addl=f$id);
 
 	if ( addl != "" )
 		i$addl += fmt(": %s", addl);
 
+	if ( source != "" )
+		i$source = source;
+
 	weird(i);
 	}
diff --git a/src/Conn.cc b/src/Conn.cc
index 93a2f94520..8baf383cfb 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -530,10 +530,10 @@ void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a,
 	event_mgr.Enqueue(f, std::move(args), util::detail::SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
 
-void Connection::Weird(const char* name, const char* addl)
+void Connection::Weird(const char* name, const char* addl, const char* source)
 	{
 	weird = 1;
-	reporter->Weird(this, name, addl ? addl : "");
+	reporter->Weird(this, name, addl ? addl : "", source ? source : "");
 	}
 
 void Connection::AddTimer(timer_func timer, double t, bool do_expire,
diff --git a/src/Conn.h b/src/Conn.h
index a99456ce33..d3f75fcac4 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -238,7 +238,7 @@ public:
 	EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args)
 		{ return EnqueueEvent(h, analyzer, zeek::Args{std::forward<Args>(args)...}); }
 
-	void Weird(const char* name, const char* addl = "");
+	void Weird(const char* name, const char* addl = "", const char* source = "");
 	bool DidWeird() const	{ return weird != 0; }
 
 	// Cancel all associated timers.
diff --git a/src/Reporter.cc b/src/Reporter.cc
index abea82b3ae..241c8aa050 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -396,7 +396,7 @@ bool Reporter::PermitExpiredConnWeird(const char* name, const RecordVal& conn_id
 		return false;
 	}
 
-void Reporter::Weird(const char* name, const char* addl)
+void Reporter::Weird(const char* name, const char* addl, const char* source)
 	{
 	UpdateWeirdStats(name);
 
@@ -406,10 +406,10 @@ void Reporter::Weird(const char* name, const char* addl)
 			return;
 		}
 
-	WeirdHelper(net_weird, {new StringVal(addl)}, "%s", name);
+	WeirdHelper(net_weird, {new StringVal(addl), new StringVal(source)}, "%s", name);
 	}
 
-void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl)
+void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl, const char* source)
 	{
 	UpdateWeirdStats(name);
 
@@ -424,11 +424,11 @@ void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl)
 			return;
 	}
 
-	WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl)},
+	WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl), new StringVal(source)},
 	            "%s", name);
 	}
 
-void Reporter::Weird(Connection* conn, const char* name, const char* addl)
+void Reporter::Weird(Connection* conn, const char* name, const char* addl, const char* source)
 	{
 	UpdateWeirdStats(name);
 
@@ -443,12 +443,12 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
 			return;
 	}
 
-	WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)},
+	WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl), new StringVal(source)},
 	            "%s", name);
 	}
 
-void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid,
-                     const char* name, const char* addl)
+void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, const char* name,
+                     const char* addl, const char* source)
 	{
 	UpdateWeirdStats(name);
 
@@ -463,11 +463,11 @@ void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid,
 	}
 
 	WeirdHelper(expired_conn_weird,
-	            {conn_id.release(), uid.release(), new StringVal(addl)},
+	            {conn_id.release(), uid.release(), new StringVal(addl), new StringVal(source)},
 	            "%s", name);
 	}
 
-void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl)
+void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl, const char* source)
 	{
 	UpdateWeirdStats(name);
 
@@ -482,7 +482,7 @@ void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, c
 	}
 
 	WeirdHelper(flow_weird,
-	            {new AddrVal(orig), new AddrVal(resp), new StringVal(addl)},
+	            {new AddrVal(orig), new AddrVal(resp), new StringVal(addl), new StringVal(source)},
 	            "%s", name);
 	}
 
diff --git a/src/Reporter.h b/src/Reporter.h
index 494bed79cd..a3036d4a85 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -95,12 +95,15 @@ public:
 
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
-	void Weird(const char* name, const char* addl = "");	// Raises net_weird().
-	void Weird(file_analysis::File* f, const char* name, const char* addl = "");	// Raises file_weird().
-	void Weird(Connection* conn, const char* name, const char* addl = "");	// Raises conn_weird().
+	void Weird(const char* name, const char* addl = "", const char* source = "");	// Raises net_weird().
+	void Weird(file_analysis::File* f, const char* name,
+	           const char* addl = "", const char* source = "");	// Raises file_weird().
+	void Weird(Connection* conn, const char* name,
+	           const char* addl = "", const char* source = "");	// Raises conn_weird().
 	void Weird(RecordValPtr conn_id, StringValPtr uid,
-	           const char* name, const char* addl = "");	// Raises expired_conn_weird().
-	void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl = "");	// Raises flow_weird().
+	           const char* name, const char* addl = "", const char* source = "");	// Raises expired_conn_weird().
+	void Weird(const IPAddr& orig, const IPAddr& resp, const char* name,
+	           const char* addl = "", const char* source = "");	// Raises flow_weird().
 
 	// Syslog a message. This methods does nothing if we're running
 	// offline from a trace.
diff --git a/src/Sessions.cc b/src/Sessions.cc
index ba8231d369..15dfb91cb1 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -681,7 +681,7 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port,
 	return true;
 	}
 
-void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl)
+void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl, const char* source)
 	{
 	const char* weird_name = name;
 
@@ -694,12 +694,12 @@ void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl)
 
 		if ( pkt->ip_hdr )
 			{
-			reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl);
+			reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl, source);
 			return;
 			}
 		}
 
-	reporter->Weird(weird_name, addl);
+	reporter->Weird(weird_name, addl, source);
 	}
 
 void NetSessions::Weird(const char* name, const IP_Hdr* ip, const char* addl)
diff --git a/src/Sessions.h b/src/Sessions.h
index 740590641f..634e1f549c 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -70,7 +70,7 @@ public:
 	void GetStats(SessionStats& s) const;
 
 	void Weird(const char* name, const Packet* pkt,
-	           const char* addl = "");
+	           const char* addl = "", const char* source = "");
 	void Weird(const char* name, const IP_Hdr* ip,
 	           const char* addl = "");
 
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index fa9ea1c414..0ff3971aa1 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -838,7 +838,7 @@ void Analyzer::EnqueueConnEvent(EventHandlerPtr f, Args args)
 
 void Analyzer::Weird(const char* name, const char* addl)
 	{
-	conn->Weird(name, addl);
+	conn->Weird(name, addl, GetAnalyzerName());
 	}
 
 SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
index b36f8acb59..427a08c510 100644
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@@ -21,7 +21,7 @@ flow AYIYA_Flow
 
 		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
 			{
-			zeek::reporter->Weird(c, "tunnel_depth");
+			connection()->zeek_analyzer()->Weird("tunnel_depth");
 			return false;
 			}
 
@@ -34,7 +34,7 @@ flow AYIYA_Flow
 		if ( ${pdu.next_header} != IPPROTO_IPV6 &&
 		     ${pdu.next_header} != IPPROTO_IPV4 )
 			{
-			zeek::reporter->Weird(c, "ayiya_tunnel_non_ip");
+			connection()->zeek_analyzer()->Weird("ayiya_tunnel_non_ip");
 			return false;
 			}
 
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc
index 1d09dfdf98..7527df7360 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@@ -119,6 +119,8 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
+
+		// TODO: why does bittorrent have a different set of weirds?
 		EnqueueConnEvent(bittorrent_peer_weird,
 		                 ConnVal(),
 		                 val_mgr->Bool(orig),
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index f294f564b2..c044110584 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -190,8 +190,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 			if ( it != fb.end() )
 				{
 				// We already had a first frag earlier.
-				zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
-						"multiple_first_fragments_in_dce_rpc_reassembly");
+				connection()->zeek_analyzer()->Weird("multiple_first_fragments_in_dce_rpc_reassembly");
 				connection()->zeek_analyzer()->SetSkip(true);
 				return false;
 				}
@@ -212,15 +211,13 @@ flow DCE_RPC_Flow(is_orig: bool) {
 
 				if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly )
 					{
-					zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
-					                "too_many_dce_rpc_msgs_in_reassembly");
+					connection()->zeek_analyzer()->Weird("too_many_dce_rpc_msgs_in_reassembly");
 					connection()->zeek_analyzer()->SetSkip(true);
 					}
 
 				if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
 					{
-					zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
-					                "too_much_dce_rpc_fragment_data");
+					connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data");
 					connection()->zeek_analyzer()->SetSkip(true);
 					}
 
@@ -235,8 +232,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 
 			if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
 				{
-				zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
-				                "too_much_dce_rpc_fragment_data");
+				connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data");
 				connection()->zeek_analyzer()->SetSkip(true);
 				}
 
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
index 25c5f8a9da..c595373496 100644
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@@ -655,7 +655,7 @@ flow GTPv1_Flow(is_orig: bool)
 
 		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
 			{
-			zeek::reporter->Weird(c, "tunnel_depth");
+			a->Weird("tunnel_depth");
 			return false;
 			}
 
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index efb6ed49c3..852581c2b6 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1262,11 +1262,11 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	return 1;
 
 bad_http_request_with_version:
-	reporter->Weird(Conn(), "bad_HTTP_request_with_version");
+	Weird("bad_HTTP_request_with_version");
 	return 0;
 
 error:
-	reporter->Weird(Conn(), "bad_HTTP_request");
+	Weird("bad_HTTP_request");
 	return 0;
 	}
 
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
index ca50de03a5..f4efdbbdaa 100644
--- a/src/analyzer/protocol/imap/imap-analyzer.pac
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -33,7 +33,7 @@ refine connection IMAP_Conn += {
 		if ( is_orig && commands == "starttls" )
 			{
 			if ( !client_starttls_id.empty() )
-				zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
+				zeek_analyzer()->Weird("IMAP: client sent duplicate StartTLS");
 
 			client_starttls_id = tags;
 			}
@@ -48,7 +48,7 @@ refine connection IMAP_Conn += {
 					zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn());
 				}
 			else
-				zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS");
+				zeek_analyzer()->Weird("IMAP: server refused StartTLS");
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc
index 341c90f224..f35790f583 100644
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@@ -539,7 +539,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data)
 			else
 				{
 				if ( Conn()->FlagEvent(SINGULAR_LF) )
-					Conn()->Weird("line_terminated_with_single_LF");
+					Weird("line_terminated_with_single_LF");
 				buf[offset++] = c;
 				}
 			break;
diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc
index 8f6a090b39..0653497585 100644
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@@ -96,7 +96,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
 		case RSH_PRESUMED_REJECTED:
 			if ( state == RSH_PRESUMED_REJECTED )
 				{
-				Conn()->Weird("rsh_text_after_rejected");
+				Weird("rsh_text_after_rejected");
 				state = RSH_UNKNOWN;
 				}
 
@@ -140,7 +140,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
 
 void Contents_Rsh_Analyzer::BadProlog()
 	{
-	Conn()->Weird("bad_rsh_prolog");
+	Weird("bad_rsh_prolog");
 	state = RSH_UNKNOWN;
 	}
 
diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc
index 7bd927d797..b943f04610 100644
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@@ -161,7 +161,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 			if ( state == RLOGIN_LINE_MODE &&
 			     peer->state == RLOGIN_PRESUMED_REJECTED )
 				{
-				Conn()->Weird("rlogin_text_after_rejected");
+				Weird("rlogin_text_after_rejected");
 				state = RLOGIN_UNKNOWN;
 				}
 
@@ -203,7 +203,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
 
 void Contents_Rlogin_Analyzer::BadProlog()
 	{
-	Conn()->Weird("bad_rlogin_prolog");
+	Weird("bad_rlogin_prolog");
 	state = RLOGIN_UNKNOWN;
 	}
 
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index 2226c1aa7f..ec633341de 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -175,13 +175,13 @@ refine connection SOCKS_Conn += {
 
 	function socks5_unsupported_authentication_method(auth_method: uint8): bool
 		%{
-		zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method));
+		zeek_analyzer()->Weird("socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method));
 		return true;
 		%}
 
 	function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool
 		%{
-		zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version));
+		zeek_analyzer()->Weird("socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version));
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index a82772d2b4..a739a35d05 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -1,38 +1,39 @@
-	function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
-		%{
-		if ( certificates->size() == 0 )
-			return true;
-
-		zeek::ODesc common;
-		common.AddRaw("Analyzer::ANALYZER_SSL");
-		common.Add(zeek_analyzer()->Conn()->StartTime());
-		common.AddRaw(is_orig ? "T" : "F", 1);
-		zeek_analyzer()->Conn()->IDString(&common);
-
-		static const string user_mime = "application/x-x509-user-cert";
-		static const string ca_mime = "application/x-x509-ca-cert";
-
-		for ( unsigned int i = 0; i < certificates->size(); ++i )
-			{
-			const bytestring& cert = (*certificates)[i];
-
-			if ( cert.length() <= 0 )
-				{
-				zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate");
-				continue;
-				}
-
-			zeek::ODesc file_handle;
-			file_handle.Add(common.Description());
-			file_handle.Add(i);
-
-			string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-
-			zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-			                       cert.length(), zeek_analyzer()->GetAnalyzerTag(),
-			                       zeek_analyzer()->Conn(), is_orig,
-			                       file_id, i == 0 ? user_mime : ca_mime);
-			zeek::file_mgr->EndOfFile(file_id);
-			}
+function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
+	%{
+	if ( certificates->size() == 0 )
 		return true;
-		%}
+
+	zeek::ODesc common;
+	common.AddRaw("Analyzer::ANALYZER_SSL");
+	common.Add(zeek_analyzer()->Conn()->StartTime());
+	common.AddRaw(is_orig ? "T" : "F", 1);
+	zeek_analyzer()->Conn()->IDString(&common);
+
+	static const string user_mime = "application/x-x509-user-cert";
+	static const string ca_mime = "application/x-x509-ca-cert";
+
+	for ( unsigned int i = 0; i < certificates->size(); ++i )
+		{
+		const bytestring& cert = (*certificates)[i];
+
+		if ( cert.length() <= 0 )
+			{
+			zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate", "",
+			                      zeek_analyzer()->GetAnalyzerName());
+			continue;
+			}
+
+		zeek::ODesc file_handle;
+		file_handle.Add(common.Description());
+		file_handle.Add(i);
+
+		string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
+
+		zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+		                       cert.length(), zeek_analyzer()->GetAnalyzerTag(),
+		                       zeek_analyzer()->Conn(), is_orig,
+		                       file_id, i == 0 ? user_mime : ca_mime);
+		zeek::file_mgr->EndOfFile(file_id);
+		}
+	return true;
+	%}
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index f28ba40b76..9806fe31f1 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -322,7 +322,7 @@ refine connection Handshake_Conn += {
 			}
 		else if ( response.length() == 0 )
 			{
-			zeek::reporter->Weird(zeek_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message");
+			zeek_analyzer()->Weird("SSL_zero_length_stapled_OCSP_message");
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index 1e5953dfe2..679f8c1f37 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -263,7 +263,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 			else
 				{
 				if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) )
-					Conn()->Weird("line_terminated_with_single_LF");
+					Weird("line_terminated_with_single_LF");
 				buf[offset++] = c;
 				}
 			break;
@@ -282,7 +282,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 
 		if ( last_char == '\r' )
 			if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) )
-				Conn()->Weird("line_terminated_with_single_CR");
+				Weird("line_terminated_with_single_CR");
 
 		last_char = c;
 		}
@@ -312,7 +312,7 @@ void ContentLine_Analyzer::CheckNUL()
 		else
 			{
 			if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) )
-				Conn()->Weird("NUL_in_line");
+				Weird("NUL_in_line");
 			flag_NULs = false;
 			}
 		}
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index bea7dd0209..549612e501 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -461,20 +461,20 @@ static void update_window(TCP_Endpoint* endpoint, unsigned int window,
 		}
 	}
 
-static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len)
+void TCP_Analyzer::SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const
 	{
 	if ( flags.RST() )
-		endpoint->Conn()->Weird("TCP_christmas");
+		endpoint->Conn()->Weird("TCP_christmas", "", GetAnalyzerName());
 
 	if ( flags.URG() )
-		endpoint->Conn()->Weird("baroque_SYN");
+		endpoint->Conn()->Weird("baroque_SYN", "", GetAnalyzerName());
 
 	if ( data_len > 0 )
 		// Not technically wrong according to RFC 793, but the other side
 		// would be forced to buffer data until the handshake succeeds, and
 		// that could be bad in some cases, e.g. SYN floods.
 		// T/TCP definitely complicates this.
-		endpoint->Conn()->Weird("SYN_with_data");
+		endpoint->Conn()->Weird("SYN_with_data", "", GetAnalyzerName());
 	}
 
 void TCP_Analyzer::UpdateInactiveState(double t,
@@ -1097,7 +1097,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	if ( flags.SYN() )
 		{
-		syn_weirds(flags, endpoint, len);
+		SynWeirds(flags, endpoint, len);
 		RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp);
 		init_window(endpoint, peer, flags, SYN_vals->GetField(5)->CoerceToInt(),
 		            base_seq, ack_seq);
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index 705bb157f0..6197afbd1a 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -167,6 +167,9 @@ protected:
 	static int get_segment_len(int payload_len, TCP_Flags flags);
 
 private:
+
+	void SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const;
+
 	TCP_Endpoint* orig;
 	TCP_Endpoint* resp;
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 41a82d9b01..8f57f72a9e 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -31,7 +31,7 @@ public:
 	void Weird(const char* name, bool force = false) const
 		{
 		if ( ProtocolConfirmed() || force )
-			reporter->Weird(Conn(), name);
+			reporter->Weird(Conn(), name, "", GetAnalyzerName());
 		}
 
 	/**
diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc
index a66a3b17fc..780c2573eb 100644
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ b/src/analyzer/protocol/vxlan/VXLAN.cc
@@ -51,7 +51,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 
 	if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth )
 		{
-		reporter->Weird(Conn(), "tunnel_depth");
+		Weird("tunnel_depth");
 		return;
 		}
 
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index 2520cbe6e2..7c0bfa9701 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -36,7 +36,7 @@ refine connection XMPP_Conn += {
 				zeek::BifEvent::enqueue_xmpp_starttls(zeek_analyzer(), zeek_analyzer()->Conn());
 			}
 		else if ( !is_orig && token == "proceed" )
-			zeek::reporter->Weird(zeek_analyzer()->Conn(), "XMPP: proceed without starttls");
+			zeek_analyzer()->Weird("XMPP: proceed without starttls");
 
 		// printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str());
 
diff --git a/src/event.bif b/src/event.bif
index a6829b833f..0c4bb8448a 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -453,12 +453,16 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 ##
 ## addl: Optional additional context further describing the situation.
 ##
+## source: Optional source for the weird. When called by analyzers, this should
+##         be filled in with the name of the analyzer.
+##
 ## .. zeek:see:: flow_weird net_weird file_weird expired_conn_weird
 ##
 ## .. note:: "Weird" activity is much more common in real-world network traffic
 ##    than one would intuitively expect. While in principle, any protocol
 ##    violation could be an attack attempt, it's much more likely that an
 ##    endpoint's implementation interprets an RFC quite liberally.
+event conn_weird%(name: string, c: connection, addl: string, source: string%);
 event conn_weird%(name: string, c: connection, addl: string%);
 
 ## Generated for unexpected activity related to a specific connection whose
@@ -482,12 +486,16 @@ event conn_weird%(name: string, c: connection, addl: string%);
 ##
 ## addl: Optional additional context further describing the situation.
 ##
+## source: Optional source for the weird. When called by analyzers, this should
+##         be filled in with the name of the analyzer.
+##
 ## .. zeek:see:: flow_weird net_weird file_weird conn_weird
 ##
 ## .. note:: "Weird" activity is much more common in real-world network traffic
 ##    than one would intuitively expect. While in principle, any protocol
 ##    violation could be an attack attempt, it's much more likely that an
 ##    endpoint's implementation interprets an RFC quite liberally.
+event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string, source: string%);
 event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%);
 
 ## Generated for unexpected activity related to a pair of hosts, but independent
@@ -507,12 +515,16 @@ event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%)
 ##
 ## addl: Optional additional context further describing the situation.
 ##
+## source: Optional source for the weird. When called by analyzers, this should
+##         be filled in with the name of the analyzer.
+##
 ## .. zeek:see:: conn_weird net_weird file_weird expired_conn_weird
 ##
 ## .. note:: "Weird" activity is much more common in real-world network traffic
 ##    than one would intuitively expect. While in principle, any protocol
 ##    violation could be an attack attempt, it's much more likely that an
 ##    endpoint's implementation interprets an RFC quite liberally.
+event flow_weird%(name: string, src: addr, dst: addr, addl: string, source: string%);
 event flow_weird%(name: string, src: addr, dst: addr, addl: string%);
 
 ## Generated for unexpected activity that is not tied to a specific connection
@@ -527,12 +539,16 @@ event flow_weird%(name: string, src: addr, dst: addr, addl: string%);
 ##
 ## addl: Optional additional context further describing the situation.
 ##
+## source: Optional source for the weird. When called by analyzers, this should
+##         be filled in with the name of the analyzer.
+##
 ## .. zeek:see:: flow_weird file_weird conn_weird expired_conn_weird
 ##
 ## .. note:: "Weird" activity is much more common in real-world network traffic
 ##    than one would intuitively expect. While in principle, any protocol
 ##    violation could be an attack attempt, it's much more likely that an
 ##    endpoint's implementation interprets an RFC quite liberally.
+event net_weird%(name: string, addl: string, source: string%);
 event net_weird%(name: string, addl: string%);
 
 ## Generated for unexpected activity that is tied to a file.
@@ -548,12 +564,15 @@ event net_weird%(name: string, addl: string%);
 ##
 ## addl: Additional information related to the weird.
 ##
+## source: The name of the file analyzer that generated the weird.
+##
 ## .. zeek:see:: flow_weird net_weird conn_weird expired_conn_weird
 ##
 ## .. note:: "Weird" activity is much more common in real-world network traffic
 ##    than one would intuitively expect. While in principle, any protocol
 ##    violation could be an attack attempt, it's much more likely that an
 ##    endpoint's implementation interprets an RFC quite liberally.
+event file_weird%(name: string, f: fa_file, addl: string, source: string%);
 event file_weird%(name: string, f: fa_file, addl: string%);
 
 ## Generated regularly for the purpose of profiling Zeek's processing. This event
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 997ef52b78..129393aee5 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -76,11 +76,6 @@ Packet::~Packet()
 		delete [] data;
 	}
 
-void Packet::Weird(const char* name)
-	{
-	sessions->Weird(name, this);
-	}
-
 RecordValPtr Packet::ToRawPktHdrVal() const
 	{
 	static auto raw_pkt_hdr_type = id::find_type<RecordType>("raw_pkt_hdr");
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 43e2ed1b4f..6bf2a506e6 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -124,9 +124,6 @@ public:
 	[[deprecated("Remove in v4.1.  Use ToRawPktHdrval() instead.")]]
 	RecordVal* BuildPktHdrVal() const;
 
-	// Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it.
-	void Weird(const char* name);
-
 	/**
 	 * Maximal length of a layer 2 address.
 	 */
diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index d6e053fa1a..50fa3b6182 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -135,7 +135,7 @@ void PktSrc::Info(const std::string& msg)
 
 void PktSrc::Weird(const std::string& msg, const Packet* p)
 	{
-	sessions->Weird(msg.c_str(), p, nullptr);
+	sessions->Weird(msg.c_str(), p);
 	}
 
 void PktSrc::InternalError(const std::string& msg)
diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc
index 871e2c6e3f..d0662c9a67 100644
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@@ -5,6 +5,8 @@
 #include "zeek/Dict.h"
 #include "zeek/DebugLogger.h"
 #include "zeek/RunState.h"
+#include "zeek/Sessions.h"
+#include "zeek/util.h"
 
 namespace zeek::packet_analysis {
 
@@ -70,7 +72,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const
 	}
 
 bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
-		uint32_t identifier) const
+                             uint32_t identifier) const
 	{
 	auto inner_analyzer = Lookup(identifier);
 	if ( ! inner_analyzer )
@@ -96,7 +98,8 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co
 
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
 			GetAnalyzerName());
-	packet->Weird("no_suitable_analyzer_found");
+
+	Weird("no_suitable_analyzer_found", packet);
 	return true;
 	}
 
@@ -116,4 +119,9 @@ void Analyzer::RegisterProtocol(uint32_t identifier, AnalyzerPtr child)
 	dispatcher.Register(identifier, std::move(child));
 	}
 
-}
+void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
+	{
+	sessions->Weird(name, packet, addl, GetAnalyzerName());
+	}
+
+} // namespace zeek::packet_analysis
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index a8da218a93..90a3508aca 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -148,6 +148,18 @@ protected:
 	 */
 	bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
 
+	/**
+	 * Reports a Weird with the analyzer's name included in the addl field.
+	 *
+	 * @param name The name of the weird.
+	 * @param packet An optional pointer to a packet to be used for additional
+	 * information in the weird output.
+	 * @param addl An optional string containing additional information about
+	 * the weird. If this is passed, the analyzer's name will be prepended to
+	 * it before output.
+	 */
+	void Weird(const char* name, Packet* packet=nullptr, const char* addl="") const;
+
 private:
 	Tag tag;
 	Dispatcher dispatcher;
diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc
index 0edf0816dd..f63d385ed1 100644
--- a/src/packet_analysis/protocol/arp/ARP.cc
+++ b/src/packet_analysis/protocol/arp/ARP.cc
@@ -89,7 +89,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	// Check whether the header is complete.
 	if ( sizeof(struct arp_pkthdr) > len )
 		{
-		packet->Weird("truncated_ARP");
+		Weird("truncated_ARP", packet);
 		return false;
 		}
 
@@ -100,7 +100,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	size_t min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln;
 	if ( min_length > len )
 		{
-		packet->Weird("truncated_ARP");
+		Weird("truncated_ARP", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc
index 42a620a83f..a64a5c0f7c 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@@ -25,7 +25,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	// to pull bytes out of it.
 	if ( 16 >= len )
 		{
-		packet->Weird("truncated_ethernet_frame");
+		Weird("truncated_ethernet_frame", packet);
 		return false;
 		}
 
@@ -36,7 +36,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 
 		if ( cfplen + 14 >= len )
 			{
-			packet->Weird("truncated_link_header_cfp");
+			Weird("truncated_link_header_cfp", packet);
 			return false;
 			}
 
@@ -60,7 +60,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		{
 		if ( 16 >= len )
 			{
-			packet->Weird("truncated_ethernet_frame");
+			Weird("truncated_ethernet_frame", packet);
 			return false;
 			}
 
@@ -86,6 +86,6 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		}
 
 	// Undefined (1500 < EtherType < 1536)
-	packet->Weird("undefined_ether_type");
+	Weird("undefined_ether_type", packet);
 	return false;
 	}
diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc
index 7e8f8bf616..e296ab67e4 100644
--- a/src/packet_analysis/protocol/fddi/FDDI.cc
+++ b/src/packet_analysis/protocol/fddi/FDDI.cc
@@ -15,7 +15,7 @@ bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 
 	if ( hdr_size >= len )
 		{
-		packet->Weird("FDDI_analyzer_failed");
+		Weird("FDDI_analyzer_failed");
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index cb3516a50f..6a36442b93 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -51,13 +51,13 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( ! BifConst::Tunnel::enable_gre )
 		{
-		sessions->Weird("GRE_tunnel", packet);
+		Weird("GRE_tunnel", packet);
 		return false;
 		}
 
 	if ( len < gre_header_len() )
 		{
-		sessions->Weird("truncated_GRE", packet);
+		Weird("truncated_GRE", packet);
 		return false;
 		}
 
@@ -75,7 +75,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( gre_version != 0 && gre_version != 1 )
 		{
-		sessions->Weird("unknown_gre_version", packet, util::fmt("%d", gre_version));
+		Weird("unknown_gre_version", packet, util::fmt("version=%d", gre_version));
 		return false;
 		}
 
@@ -92,7 +92,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				}
 			else
 				{
-				sessions->Weird("truncated_GRE", packet);
+				Weird("truncated_GRE", packet);
 				return false;
 				}
 			}
@@ -109,7 +109,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				}
 			else
 				{
-				sessions->Weird("truncated_GRE", packet);
+				Weird("truncated_GRE", packet);
 				return false;
 				}
 			}
@@ -132,7 +132,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 						erspan_len += 8;
 					else
 						{
-						sessions->Weird("truncated_GRE", packet);
+						Weird("truncated_GRE", packet);
 						return false;
 						}
 					}
@@ -141,7 +141,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				}
 			else
 				{
-				sessions->Weird("truncated_GRE", packet);
+				Weird("truncated_GRE", packet);
 				return false;
 				}
 			}
@@ -152,7 +152,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		if ( proto_typ != 0x880b )
 			{
 			// Enhanced GRE payload must be PPP.
-			sessions->Weird("egre_protocol_type", packet, util::fmt("%d", proto_typ));
+			Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ));
 			return false;
 			}
 		}
@@ -162,20 +162,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		// RFC 2784 deprecates the variable length routing field
 		// specified by RFC 1701. It could be parsed here, but easiest
 		// to just skip for now.
-		sessions->Weird("gre_routing", packet);
+		Weird("gre_routing", packet);
 		return false;
 		}
 
 	if ( flags_ver & 0x0078 )
 		{
 		// Expect last 4 bits of flags are reserved, undefined.
-		sessions->Weird("unknown_gre_flags", packet);
+		Weird("unknown_gre_flags", packet);
 		return false;
 		}
 
 	if ( len < gre_len + ppp_len + eth_len + erspan_len )
 		{
-		sessions->Weird("truncated_GRE", packet);
+		Weird("truncated_GRE", packet);
 		return false;
 		}
 
@@ -185,7 +185,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 		if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
 			{
-			sessions->Weird("non_ip_packet_in_encap", packet);
+			Weird("non_ip_packet_in_encap", packet);
 			return false;
 			}
 
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index 4a46046a90..d3ee996dc5 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -15,7 +15,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 
 	if ( len_80211 >= len )
 		{
-		packet->Weird("truncated_802_11_header");
+		Weird("truncated_802_11_header", packet);
 		return false;
 		}
 
@@ -47,7 +47,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 
 	if ( len_80211 >= len )
 		{
-		packet->Weird("truncated_802_11_header");
+		Weird("truncated_802_11_header", packet);
 		return false;
 		}
 
@@ -82,7 +82,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	len_80211 += 8;
 	if ( len_80211 >= len )
 		{
-		packet->Weird("truncated_802_11_header");
+		Weird("truncated_802_11_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
index 8f66b79437..04d6702254 100644
--- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
+++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc
@@ -15,7 +15,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa
 	{
 	if ( 3 >= len )
 		{
-		packet->Weird("truncated_radiotap_header");
+		Weird("truncated_radiotap_header", packet);
 		return false;
 		}
 
@@ -24,7 +24,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa
 
 	if ( rtheader_len >= len )
 		{
-		packet->Weird("truncated_radiotap_header");
+		Weird("truncated_radiotap_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc
index 90757dacd7..df3a9dfabc 100644
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@@ -35,7 +35,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
 	if ( len < sizeof(struct ip) )
 		{
-		sessions->Weird("truncated_IP", packet);
+		Weird("truncated_IP", packet);
 		return false;
 		}
 
@@ -56,7 +56,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( len < sizeof(struct ip6_hdr) )
 			{
-			sessions->Weird("truncated_IP", packet);
+			Weird("truncated_IP", packet);
 			return false;
 			}
 
@@ -65,7 +65,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		}
 	else
 		{
-		sessions->Weird("unknown_ip_version", packet);
+		Weird("unknown_ip_version", packet);
 		return false;
 		}
 
@@ -76,7 +76,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	if ( total_len == 0 )
 		{
 		// TCP segmentation offloading can zero out the ip_len field.
-		sessions->Weird("ip_hdr_len_zero", packet);
+		Weird("ip_hdr_len_zero", packet);
 
 		// Cope with the zero'd out ip_len field by using the caplen.
 		total_len = packet->cap_len - hdr_size;
@@ -84,7 +84,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( packet->len < total_len + hdr_size )
 		{
-		sessions->Weird("truncated_IPv6", packet);
+		Weird("truncated_IPv6", packet);
 		return false;
 		}
 
@@ -93,13 +93,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	uint16_t ip_hdr_len = packet->ip_hdr->HdrLen();
 	if ( ip_hdr_len > total_len )
 		{
-		sessions->Weird("invalid_IP_header_size", packet);
+		Weird("invalid_IP_header_size", packet);
 		return false;
 		}
 
 	if ( ip_hdr_len > len )
 		{
-		sessions->Weird("internally_truncated_header", packet);
+		Weird("internally_truncated_header", packet);
 		return false;
 		}
 
@@ -107,7 +107,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( ip_hdr_len < sizeof(struct ip) )
 			{
-			sessions->Weird("IPv4_min_header_size", packet);
+			Weird("IPv4_min_header_size", packet);
 			return false;
 			}
 		}
@@ -115,7 +115,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( ip_hdr_len < sizeof(struct ip6_hdr) )
 			{
-			sessions->Weird("IPv6_min_header_size", packet);
+			Weird("IPv6_min_header_size", packet);
 			return false;
 			}
 		}
@@ -129,7 +129,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	     ! zeek::id::find_val<TableVal>("ignore_checksums_nets")->Contains(packet->ip_hdr->IPHeaderSrcAddr()) &&
 	     detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff )
 		{
-		sessions->Weird("bad_IP_checksum", packet);
+		Weird("bad_IP_checksum", packet);
 		return false;
 		}
 
@@ -144,7 +144,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 		if ( len < total_len )
 			{
-			sessions->Weird("incompletely_captured_fragment", packet);
+			Weird("incompletely_captured_fragment", packet);
 
 			// Don't try to reassemble, that's doomed.
 			// Discard all except the first fragment (which
@@ -174,7 +174,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 			if ( ip_hdr_len > total_len )
 				{
-				sessions->Weird("invalid_IP_header_size", packet);
+				Weird("invalid_IP_header_size", packet);
 				return false;
 				}
 			}
@@ -203,7 +203,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 		if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff )
 			{
-			sessions->Weird("bad_MH_checksum", packet);
+			Weird("bad_MH_checksum", packet);
 			return false;
 			}
 
@@ -211,7 +211,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 			event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal());
 
 		if ( packet->ip_hdr->NextProto() != IPPROTO_NONE )
-			sessions->Weird("mobility_piggyback", packet);
+			Weird("mobility_piggyback", packet);
 
 		return true;
 		}
@@ -249,7 +249,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		if ( ! ( packet->encap &&
 		         packet->encap->LastType() == BifEnum::Tunnel::TEREDO ) )
 			{
-			sessions->Weird("ipv6_no_next", packet);
+			Weird("ipv6_no_next", packet);
 			return_val = false;
 			}
 		break;
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index a7455cb214..ca91c26a61 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -29,14 +29,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 
 	if ( ! BifConst::Tunnel::enable_ip )
 		{
-		sessions->Weird("IP_tunnel", packet);
+		Weird("IP_tunnel", packet);
 		return false;
 		}
 
 	if ( packet->encap &&
 	     packet->encap->Depth() >= BifConst::Tunnel::max_depth )
 		{
-		sessions->Weird("exceeded_tunnel_max_depth", packet);
+		Weird("exceeded_tunnel_max_depth", packet);
 		return false;
 		}
 
@@ -52,11 +52,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		// Check for a valid inner packet first.
 		int result = sessions->ParseIPPacket(len, data, proto, inner);
 		if ( result == -2 )
-			sessions->Weird("invalid_inner_IP_version", packet);
+			Weird("invalid_inner_IP_version", packet);
 		else if ( result < 0 )
-			sessions->Weird("truncated_inner_IP", packet);
+			Weird("truncated_inner_IP", packet);
 		else if ( result > 0 )
-			sessions->Weird("inner_IP_payload_length_mismatch", packet);
+			Weird("inner_IP_payload_length_mismatch", packet);
 
 		if ( result != 0 )
 			{
diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
index 35273cd961..77b5d780f4 100644
--- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
+++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
@@ -14,7 +14,7 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	auto len_sll_hdr = sizeof(SLLHeader);
 	if ( len_sll_hdr >= len )
 		{
-		packet->Weird("truncated_Linux_SLL_header");
+		Weird("truncated_Linux_SLL_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc
index 7314d507fa..b1394f6c18 100644
--- a/src/packet_analysis/protocol/mpls/MPLS.cc
+++ b/src/packet_analysis/protocol/mpls/MPLS.cc
@@ -18,7 +18,7 @@ bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 		{
 		if ( 4 >= len )
 			{
-			packet->Weird("truncated_link_header");
+			Weird("truncated_link_header", packet);
 			return false;
 			}
 
diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc
index c7ae625784..dde1dfe11c 100644
--- a/src/packet_analysis/protocol/nflog/NFLog.cc
+++ b/src/packet_analysis/protocol/nflog/NFLog.cc
@@ -13,7 +13,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 	{
 	if ( 4 >= len )
 		{
-		packet->Weird("truncated_nflog_header");
+		Weird("truncated_nflog_header", packet);
 		return false;
 		}
 
@@ -23,7 +23,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 
 	if ( version != 0 )
 		{
-		packet->Weird("unknown_nflog_version");
+		Weird("unknown_nflog_version", packet);
 		return false;
 		}
 
@@ -38,7 +38,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 		{
 		if ( 4 >= len )
 			{
-			packet->Weird("nflog_no_pcap_payload");
+			Weird("nflog_no_pcap_payload", packet);
 			return false;
 			}
 
@@ -66,7 +66,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 
 			if ( tlv_len < 4 )
 				{
-				packet->Weird("nflog_bad_tlv_len");
+				Weird("nflog_bad_tlv_len", packet);
 				return false;
 				}
 			else
diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc
index 5a28c360c7..87fe28e844 100644
--- a/src/packet_analysis/protocol/null/Null.cc
+++ b/src/packet_analysis/protocol/null/Null.cc
@@ -13,7 +13,7 @@ bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 	{
 	if ( 4 >= len )
 		{
-		packet->Weird("null_analyzer_failed");
+		Weird("null_analyzer_failed", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
index 90214f7b76..83e66b2f22 100644
--- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
+++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
@@ -13,7 +13,7 @@ bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* p
 	{
 	if ( 4 >= len )
 		{
-		packet->Weird("truncated_ppp_serial_header");
+		Weird("truncated_ppp_serial_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc
index 7eac6d5736..d5d09f0f98 100644
--- a/src/packet_analysis/protocol/pppoe/PPPoE.cc
+++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc
@@ -13,7 +13,7 @@ bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 	{
 	if ( 8 >= len )
 		{
-		packet->Weird("truncated_pppoe_header");
+		Weird("truncated_pppoe_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc
index 2700d814db..cb685c3aa7 100644
--- a/src/packet_analysis/protocol/vlan/VLAN.cc
+++ b/src/packet_analysis/protocol/vlan/VLAN.cc
@@ -13,7 +13,7 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 	{
 	if ( 4 >= len )
 		{
-		packet->Weird("truncated_VLAN_header");
+		Weird("truncated_VLAN_header", packet);
 		return false;
 		}
 
diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc
index c17244b4dc..d8bcf990c8 100644
--- a/src/packet_analysis/protocol/wrapper/Wrapper.cc
+++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc
@@ -25,7 +25,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 
 		if ( data + cfplen + 14 >= end_of_data )
 			{
-			packet->Weird("truncated_link_header_cfp");
+			Weird("truncated_link_header_cfp", packet);
 			return false;
 			}
 
@@ -55,7 +55,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 				{
 				if ( data + 4 >= end_of_data )
 					{
-					packet->Weird("truncated_link_header");
+					Weird("truncated_link_header", packet);
 					return false;
 					}
 
@@ -73,7 +73,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 				{
 				if ( data + 8 >= end_of_data )
 					{
-					packet->Weird("truncated_link_header");
+					Weird("truncated_link_header", packet);
 					return false;
 					}
 
@@ -87,7 +87,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 				else
 					{
 					// Neither IPv4 nor IPv6.
-					packet->Weird("non_ip_packet_in_pppoe_encapsulation");
+					Weird("non_ip_packet_in_pppoe_encapsulation", packet);
 					return false;
 					}
 				}
@@ -111,7 +111,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 		else
 			{
 			// Neither IPv4 nor IPv6.
-			packet->Weird("non_ip_packet_in_ethernet");
+			Weird("non_ip_packet_in_ethernet", packet);
 			return false;
 			}
 		}
@@ -125,7 +125,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 			{
 			if ( data + 4 >= end_of_data )
 				{
-				packet->Weird("truncated_link_header");
+				Weird("truncated_link_header", packet);
 				return false;
 				}
 
@@ -136,7 +136,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 		// We assume that what remains is IP
 		if ( data + sizeof(struct ip) >= end_of_data )
 			{
-			packet->Weird("no_ip_in_mpls_payload");
+			Weird("no_ip_in_mpls_payload", packet);
 			return false;
 			}
 
@@ -149,7 +149,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
 		else
 			{
 			// Neither IPv4 nor IPv6.
-			packet->Weird("no_ip_in_mpls_payload");
+			Weird("no_ip_in_mpls_payload", packet);
 			return false;
 			}
 		}
diff --git a/src/reporter.bif b/src/reporter.bif
index 1aec934477..339243c8e0 100644
--- a/src/reporter.bif
+++ b/src/reporter.bif
@@ -91,9 +91,9 @@ function Reporter::fatal_error_with_core%(msg: string%): bool
 ## name: the name of the weird.
 ##
 ## Returns: Always true.
-function Reporter::net_weird%(name: string%): bool
+function Reporter::net_weird%(name: string, addl: string &default="", source: string &default=""%): bool
 	%{
-	reporter->Weird(name->CheckString());
+	reporter->Weird(name->CheckString(), addl->CheckString(), source->CheckString());
 	return zeek::val_mgr->True();
 	%}
 
@@ -106,9 +106,9 @@ function Reporter::net_weird%(name: string%): bool
 ## resp: the responder host associated with the weird.
 ##
 ## Returns: Always true.
-function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool
+function Reporter::flow_weird%(name: string, orig: addr, resp: addr, addl: string &default="", source: string &default=""%): bool
 	%{
-	reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString());
+	reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString(), addl->CheckString(), source->CheckString());
 	return zeek::val_mgr->True();
 	%}
 
@@ -121,17 +121,17 @@ function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool
 ## addl: additional information to accompany the weird.
 ##
 ## Returns: Always true.
-function Reporter::conn_weird%(name: string, c: connection, addl: string &default=""%): bool
+function Reporter::conn_weird%(name: string, c: connection, addl: string &default="", source: string &default=""%): bool
 	%{
 	if ( c )
-		reporter->Weird(c, name->CheckString(), addl->CheckString());
+		reporter->Weird(c, name->CheckString(), addl->CheckString(), source->CheckString());
 	else
 		{
 		auto connection_record = @ARG@[1]->AsRecordVal();
 		auto conn_id_val = connection_record->GetField<RecordVal>("id");
 		auto uid_val = connection_record->GetField<StringVal>("uid");
 		reporter->Weird(conn_id_val, uid_val,
-		                name->CheckString(), addl->CheckString());
+		                name->CheckString(), addl->CheckString(), source->CheckString());
 		}
 
 	return zeek::val_mgr->True();
@@ -146,7 +146,7 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul
 ## addl: additional information to accompany the weird.
 ##
 ## Returns: true if the file was still valid, else false.
-function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool
+function Reporter::file_weird%(name: string, f: fa_file, addl: string &default="", source: string&default=""%): bool
 	%{
 	auto fuid = f->AsRecordVal()->GetField(0)->AsStringVal();
 	auto file = zeek::file_mgr->LookupFile(fuid->CheckString());
@@ -154,7 +154,7 @@ function Reporter::file_weird%(name: string, f: fa_file, addl: string &default="
 	if ( ! file )
 		return zeek::val_mgr->False();
 
-	reporter->Weird(file, name->CheckString(), addl->CheckString());
+	reporter->Weird(file, name->CheckString(), addl->CheckString(), source->CheckString());
 	return zeek::val_mgr->True();
 	%}
 
diff --git a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
index cdee200f0b..82f7fa8a9b 100644
--- a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
+++ b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
@@ -1,12 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2019-06-07-01-59-08
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-#close	2019-06-07-01-59-08
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek	-
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.checksums/bad.out b/testing/btest/Baseline/core.checksums/bad.out
index df84841c36..5d1748a8e6 100644
--- a/testing/btest/Baseline/core.checksums/bad.out
+++ b/testing/btest/Baseline/core.checksums/bad.out
@@ -1,103 +1,104 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-07
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332784981.078396	-	127.0.0.1	0	127.0.0.1	0	bad_IP_checksum	-	F	zeek
-#close	2020-10-14-18-44-07
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	127.0.0.1	0	127.0.0.1	0	bad_IP_checksum	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-08
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	zeek
-#close	2020-10-14-18-44-08
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	zeek	TCP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-08
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	zeek
-#close	2020-10-14-18-44-08
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	zeek	UDP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	zeek
-#close	2020-10-14-18-44-09
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	zeek	ICMP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-10
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	zeek
-#close	2020-10-14-18-44-10
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	zeek	TCP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-10
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	zeek
-#close	2020-10-14-18-44-10
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	zeek	UDP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	zeek
-#close	2020-10-14-18-44-11
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	zeek	ICMP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	zeek
-#close	2020-10-14-18-44-11
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	zeek	TCP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	zeek
-#close	2020-10-14-18-44-12
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	zeek	UDP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
-#close	2020-10-14-18-44-12
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek	ICMP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.checksums/good.out b/testing/btest/Baseline/core.checksums/good.out
index d7116bca16..72eab9b642 100644
--- a/testing/btest/Baseline/core.checksums/good.out
+++ b/testing/btest/Baseline/core.checksums/good.out
@@ -1,70 +1,71 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
-#close	2020-10-14-18-44-12
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek	ICMP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-15
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-15
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-44-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2020-10-14-18-44-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log
index 4274eb2986..97c99cf663 100644
--- a/testing/btest/Baseline/core.ip-broken-header/weird.log
+++ b/testing/btest/Baseline/core.ip-broken-header/weird.log
@@ -1,471 +1,472 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-18-45-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	-	-	-	-	unknown_ip_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	ip_hdr_len_zero	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	ip_hdr_len_zero	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	ip_hdr_len_zero	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	ip_hdr_len_zero	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	ip_hdr_len_zero	-	F	zeek
-1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	ip_hdr_len_zero	-	F	zeek
-1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	ip_hdr_len_zero	-	F	zeek
-1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	ip_hdr_len_zero	-	F	zeek
-1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	ip_hdr_len_zero	-	F	zeek
-1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	zeek
-1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-#close	2020-10-14-18-45-20
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	unknown_ip_version	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.65.95	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.255.255	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.53.0.0	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.0.0	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.255.255.255	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	71.97.99.109	0	0.16.0.41	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	143.9.0.0	0	0.98.0.237	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	68.80.95.104	0	109.115.117.0	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.255.255.0	0	0.0.0.0	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+XXXXXXXXXX.XXXXXX	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/core.negative-time/weird.log
index ccc9a520af..49c7011a3b 100644
--- a/testing/btest/Baseline/core.negative-time/weird.log
+++ b/testing/btest/Baseline/core.negative-time/weird.log
@@ -1,10 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2019-06-07-01-59-25
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	zeek
-#close	2019-06-07-01-59-25
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	negative_packet_timestamp	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index 8c738a6546..882692db5e 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -1,81 +1,82 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-15
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334160095.895421	-	-	-	-	-	truncated_IP	-	F	zeek
-#close	2020-10-14-19-20-15
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334156241.519125	-	-	-	-	-	truncated_IP	-	F	zeek
-#close	2020-10-14-19-20-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1334094648.590126	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:4f8:4:7:2e0:81ff:fe52:9a6b	0	truncated_IPv6	-	F	zeek
-#close	2020-10-14-19-20-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:4f8:4:7:2e0:81ff:fe52:9a6b	0	truncated_IPv6	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-17
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1338328954.078361	-	10.0.0.1	0	192.0.43.10	0	internally_truncated_header	-	F	zeek
-1338328954.099743	-	192.0.43.10	0	10.0.0.1	0	internally_truncated_header	-	F	zeek
-#close	2020-10-14-19-20-17
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	10.0.0.1	0	192.0.43.10	0	internally_truncated_header	-	F	zeek	-
+XXXXXXXXXX.XXXXXX	-	192.0.43.10	0	10.0.0.1	0	internally_truncated_header	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-18
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1404148886.981015	-	-	-	-	-	truncated_ethernet_frame	-	F	zeek
-#close	2020-10-14-19-20-18
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_ethernet_frame	-	F	zeek	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-19
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	zeek
-#close	2020-10-14-19-20-19
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-19
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	zeek
-#close	2020-10-14-19-20-19
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-10-14-19-20-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	zeek
-#close	2020-10-14-19-20-20
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
index bf3356a6df..86a3a3677e 100644
--- a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
@@ -1,20 +1,21 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2019-06-07-02-20-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	zeek
-#close	2019-06-07-02-20-03
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	zeek	IPTUNNEL
+#close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2019-06-07-02-20-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-#close	2019-06-07-02-20-03
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek	IPTUNNEL
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
index cec0f48ddb..d1e4c93415 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
@@ -1,11 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-07-06-17-36-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	zeek
-1340127577.346849	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	zeek
-#close	2020-07-06-17-36-24
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	zeek	TEREDO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	zeek	TEREDO
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
index a64ac860c3..03d7f6491d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
@@ -1,11 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-01-15-20-41-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1348168976.514202	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	base64_illegal_encoding	character 32 ignored by Base64 decoding	F	zeek
-1348168976.514202	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	ftp_adat_bad_first_token_encoding	-	F	zeek
-#close	2020-01-15-20-41-16
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	base64_illegal_encoding	character 32 ignored by Base64 decoding	F	zeek	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	ftp_adat_bad_first_token_encoding	-	F	zeek	FTP_ADAT
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
index 246fbdc751..c40e200e0a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
@@ -1,10 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-04-30-00-47-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	zeek
-#close	2020-04-30-00-47-04
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
index 5c04b34c37..bdbecc9688 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
@@ -1,10 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-04-30-00-47-07
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1452204358.172926	CHhAvVGS1DHFjwGM9	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	zeek
-#close	2020-04-30-00-47-07
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
index e363aa1cf3..3d9f1e995a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@@ -1,36 +1,37 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-04-30-00-47-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1354328874.237327	ClEkJM2Vm5giqnMf4h	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	zeek
-1354328874.278822	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328874.321792	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328882.908690	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328882.949510	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328887.094494	C0LAHyvtKSQHyJxIl	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328891.141058	CFLRIC3zaTU1loLGxh	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328891.183942	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek
-1354328891.226199	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328891.267625	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek
-1354328891.309065	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
-1354328895.355012	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
-1354328895.396634	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328895.438812	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328895.480865	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
-1354328903.614145	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328903.656369	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328911.832856	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328911.876341	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328920.052085	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328920.094072	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328924.266693	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328924.308714	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328924.476011	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328924.518204	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328932.734579	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-1354328932.776609	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	zeek
-#close	2020-04-30-00-47-11
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek	-
+XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek	-
+XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek	-
+XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
index a95be12135..6d764d1be6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
@@ -1,10 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-04-30-00-47-19
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1362692526.939527	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	missing_HTTP_uri	-	F	zeek
-#close	2020-04-30-00-47-19
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	missing_HTTP_uri	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
index f2e97c1d1b..85edec0db9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -1,11 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-04-30-00-47-20
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	zeek
-1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	zeek
-#close	2020-04-30-00-47-21
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	zeek	HTTP
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
index b6298a5dec..b603b26968 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
@@ -1,12 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-08-08-04-23-29
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1509735979.080381	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	zeek
-1509735979.080381	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	zeek
-1509735981.241042	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	zeek
-#close	2020-08-08-04-23-29
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	zeek	CONTENTLINE
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	zeek	IRC
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	zeek	IRC
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
index 82f82027e9..cfd8f7893e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
@@ -1,10 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2020-08-08-04-25-02
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1536797872.428637	CHhAvVGS1DHFjwGM9	127.0.0.1	65389	127.0.0.1	6666	irc_invalid_names_line	-	F	zeek
-#close	2020-08-08-04-25-02
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	65389	127.0.0.1	6666	irc_invalid_names_line	-	F	zeek	IRC
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
index f8bc8be53f..5ecb526505 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
@@ -1,6 +1,7 @@
 #include "LLCDemo.h"
-#include "Event.h"
-#include "Val.h"
+#include "zeek/Event.h"
+#include "zeek/Val.h"
+#include "zeek/Sessions.h"
 #include "events.bif.h"
 
 using namespace zeek::packet_analysis::PacketDemo;
@@ -15,7 +16,7 @@ bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	// Rudimentary parsing of 802.2 LLC
 	if ( 17 >= len )
 		{
-		packet->Weird("truncated_llc_header");
+		sessions->Weird("truncated_llc_header", packet);
 		return false;
 		}
 
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
index a649970e85..f71e973c80 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
+++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
@@ -1,7 +1,7 @@
 #pragma once
 
-#include <packet_analysis/Analyzer.h>
-#include <packet_analysis/Component.h>
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
 
 namespace zeek::packet_analysis::PacketDemo {
 
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
index a1bb9af237..d1c3e348d0 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc
@@ -1,6 +1,8 @@
 #include "RawLayer.h"
-#include "Event.h"
-#include "Val.h"
+#include "zeek/Event.h"
+#include "zeek/Val.h"
+#include "zeek/Sessions.h"
+
 #include "events.bif.h"
 
 using namespace zeek::packet_analysis::PacketDemo;
@@ -15,7 +17,7 @@ bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	constexpr auto layer_size = 21;
 	if ( layer_size >= len )
 		{
-		packet->Weird("truncated_raw_layer");
+		sessions->Weird("truncated_raw_layer", packet);
 		return false;
 		}
 
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h
index bf47e933ab..fce732d347 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h
+++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h
@@ -1,7 +1,7 @@
 #pragma once
 
-#include <packet_analysis/Analyzer.h>
-#include <packet_analysis/Component.h>
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
 
 namespace zeek::packet_analysis::PacketDemo {
 
diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index c7c8fe63b4..89bdec14fe 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-96a87207c28441da667353eda00fe2266fa4f4cf
+7c770801300b4999bb49f1e5ee38f3f26b918aec
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index acea080ffa..8f6625d647 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-4e8c53c07ff70e693c7366bf05680744ca3110c4
+02c6be7f8c98d7dd42469f266f78f9f9b5df3111

From 4498c52a8b844a15612b2fbf202f63d269dc0677 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 1 Dec 2020 09:55:50 -0800
Subject: [PATCH 29/40] Update submodule(s) [nomail]

---
 auxil/paraglob | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/paraglob b/auxil/paraglob
index aecd540164..d83dc2a0bb 160000
--- a/auxil/paraglob
+++ b/auxil/paraglob
@@ -1 +1 @@
-Subproject commit aecd540164c0a8488417cb7b588b44e3c9ca7ac8
+Subproject commit d83dc2a0bb6afe1c5389bc965777506b76dc9a8c

From 607af85ac13e07820cfebfa918c571d01d2f19d5 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Tue, 1 Dec 2020 16:34:21 -0500
Subject: [PATCH 30/40] Add `count_to_double` and `int_to_double` bif functions

---
 src/zeek.bif                              | 24 +++++++++++++++++++++++
 testing/btest/Baseline/bifs.to_double/out |  3 +++
 testing/btest/bifs/to_double.zeek         |  7 +++++++
 3 files changed, 34 insertions(+)

diff --git a/src/zeek.bif b/src/zeek.bif
index 81981283a9..2ce6a629e5 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -2537,6 +2537,30 @@ function interval_to_double%(i: interval%): double
 	return zeek::make_intrusive<zeek::DoubleVal>(i);
 	%}
 
+## Converts an :zeek:type:`count` to a :zeek:type:`double`.
+##
+## c: The :zeek:type:`count` to convert.
+##
+## Returns: The :zeek:type:`count` *c* as :zeek:type:`double`.
+##
+## .. zeek:see:: double_to_count
+function count_to_double%(c: count%): double
+	%{
+        return zeek::make_intrusive<zeek::DoubleVal>(c);
+	%}
+
+## Converts an :zeek:type:`int` to a :zeek:type:`double`.
+##
+## i: The :zeek:type:`int` to convert.
+##
+## Returns: The :zeek:type:`int` *i* as :zeek:type:`double`.
+##
+## .. zeek:see:: double_to_int
+function int_to_double%(i: int%): double
+	%{
+        return zeek::make_intrusive<zeek::DoubleVal>(i);
+	%}
+
 ## Converts a :zeek:type:`time` value to a :zeek:type:`double`.
 ##
 ## t: The :zeek:type:`time` to convert.
diff --git a/testing/btest/Baseline/bifs.to_double/out b/testing/btest/Baseline/bifs.to_double/out
index 8e172dcaa6..55f4f21829 100644
--- a/testing/btest/Baseline/bifs.to_double/out
+++ b/testing/btest/Baseline/bifs.to_double/out
@@ -4,3 +4,6 @@
 3600.0
 86400.0
 1342748947.655087
+0.0
+10000.0
+-41.0
diff --git a/testing/btest/bifs/to_double.zeek b/testing/btest/bifs/to_double.zeek
index d62d30d5af..0247ae9ef3 100644
--- a/testing/btest/bifs/to_double.zeek
+++ b/testing/btest/bifs/to_double.zeek
@@ -17,4 +17,11 @@ event zeek_init()
 
 	local f = current_time();
 	print time_to_double(f);
+
+	local g = 0;
+	print count_to_double(g);
+	local h = 10000;
+	print count_to_double(h);
+	local i = -41;
+	print int_to_double(i);
 	}

From 3605e04d8316a2f5293b1d7c0f110f532126c3a1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 1 Dec 2020 22:01:58 -0800
Subject: [PATCH 31/40] Update minimum required CMake to 3.5

Also now uses CMake's ENABLE_EXPORTS target property for the zeek
executable to ensure symbols are visible to plugins.  Prior to CMake
3.4, the policy was to export symbols by default for certain platforms,
but later versions need either the explicit target property or policy.
---
 CMakeLists.txt                                              | 2 +-
 NEWS                                                        | 2 ++
 auxil/bifcl                                                 | 2 +-
 auxil/binpac                                                | 2 +-
 auxil/broker                                                | 2 +-
 auxil/paraglob                                              | 2 +-
 auxil/zeek-archiver                                         | 2 +-
 auxil/zeek-aux                                              | 2 +-
 auxil/zeekctl                                               | 2 +-
 cmake                                                       | 2 +-
 src/CMakeLists.txt                                          | 6 ++----
 .../binpac-flowbuffer-frame-length-plugin/CMakeLists.txt    | 2 +-
 testing/btest/plugins/file-plugin/CMakeLists.txt            | 2 +-
 testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt | 2 +-
 testing/btest/plugins/pktdumper-plugin/CMakeLists.txt       | 2 +-
 testing/btest/plugins/pktsrc-plugin/CMakeLists.txt          | 2 +-
 testing/btest/plugins/protocol-plugin/CMakeLists.txt        | 2 +-
 testing/btest/plugins/reader-plugin/CMakeLists.txt          | 2 +-
 testing/btest/plugins/writer-plugin/CMakeLists.txt          | 2 +-
 19 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e8ce79519d..ab87906ec0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,6 +1,6 @@
 # When changing the minimum version here, also adapt
 # auxil/zeek-aux/plugin-support/skeleton/CMakeLists.txt
-cmake_minimum_required(VERSION 3.0 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.5 FATAL_ERROR)
 
 project(Zeek C CXX)
 
diff --git a/NEWS b/NEWS
index a020f85851..edfcfc3f38 100644
--- a/NEWS
+++ b/NEWS
@@ -157,6 +157,8 @@ Removed Functionality
 
 - Python 2 is no longer supported.  Python 3.5 is the new minimum requirement.
 
+- CMake versions less than 3.5 are no longer supported.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/auxil/bifcl b/auxil/bifcl
index e265d659fd..cac669a3d7 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit e265d659fd86d7439de0f12a31f9c12a786836da
+Subproject commit cac669a3d728e85f113c3d3dc589f5fc04d75e59
diff --git a/auxil/binpac b/auxil/binpac
index f1392c6af9..2eae1ff58b 160000
--- a/auxil/binpac
+++ b/auxil/binpac
@@ -1 +1 @@
-Subproject commit f1392c6af9337c9454ab43e539739b4c8abc9bae
+Subproject commit 2eae1ff58b43b8ef22792b9eee1177a7543f27e4
diff --git a/auxil/broker b/auxil/broker
index 65e7ffa63c..16b3c2981b 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 65e7ffa63c3abae1ce485154fbc2ff7c7cafbf04
+Subproject commit 16b3c2981bbdecf3d4ff15c4f4a93c6d7fe8663d
diff --git a/auxil/paraglob b/auxil/paraglob
index d83dc2a0bb..48269ea29b 160000
--- a/auxil/paraglob
+++ b/auxil/paraglob
@@ -1 +1 @@
-Subproject commit d83dc2a0bb6afe1c5389bc965777506b76dc9a8c
+Subproject commit 48269ea29b141ea808293e8558fd803a005dc8c2
diff --git a/auxil/zeek-archiver b/auxil/zeek-archiver
index 107b7bd51d..e4593363e9 160000
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@@ -1 +1 @@
-Subproject commit 107b7bd51d530df888996553123992d05f1ee27b
+Subproject commit e4593363e90b848a2c4673760a179f4292833327
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 1ba32fede0..cee895d87d 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 1ba32fede011342d0d6abeec1985a07585f90083
+Subproject commit cee895d87d469c5eb1acb07e22bece679bc1839c
diff --git a/auxil/zeekctl b/auxil/zeekctl
index 6d1e1f9dbe..d6279a4f99 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit 6d1e1f9dbebf1d2463a0c6fb480440e7d68ba472
+Subproject commit d6279a4f99153f572d8c8bf7370060cd768d6db0
diff --git a/cmake b/cmake
index d02e87b1b0..146445e5bb 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit d02e87b1b0af10c0df65f13ffc70a990411b9724
+Subproject commit 146445e5bbef1e8f3b050659e3b13c9de92e1254
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 3d185041f2..53591ca348 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -400,10 +400,8 @@ add_executable(zeek main.cc
                ${bro_PLUGIN_LIBS}
 )
 target_link_libraries(zeek ${zeekdeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
-
-if ( NOT "${bro_LINKER_FLAGS}" STREQUAL "" )
-    set_target_properties(zeek PROPERTIES LINK_FLAGS "${bro_LINKER_FLAGS}")
-endif ()
+# Export symbols from zeek executable for use by plugins
+set_target_properties(zeek PROPERTIES ENABLE_EXPORTS TRUE)
 
 install(TARGETS zeek DESTINATION bin)
 
diff --git a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
index a2e5f4687b..9632726412 100644
--- a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Foo-FOO)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/file-plugin/CMakeLists.txt b/testing/btest/plugins/file-plugin/CMakeLists.txt
index d2af209beb..6fc782e2ca 100644
--- a/testing/btest/plugins/file-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/file-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT BRO_DIST )
     message(FATAL_ERROR "BRO_DIST not set")
diff --git a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
index 4a58a114c5..dcac95fbb6 100644
--- a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Packet-Plugin-Demo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
index 0b92f3b0ca..f611ab6b80 100644
--- a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
index 0b92f3b0ca..f611ab6b80 100644
--- a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/protocol-plugin/CMakeLists.txt b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
index b8faa26ebd..53a50f3961 100644
--- a/testing/btest/plugins/protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/reader-plugin/CMakeLists.txt b/testing/btest/plugins/reader-plugin/CMakeLists.txt
index 0b92f3b0ca..f611ab6b80 100644
--- a/testing/btest/plugins/reader-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/reader-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")
diff --git a/testing/btest/plugins/writer-plugin/CMakeLists.txt b/testing/btest/plugins/writer-plugin/CMakeLists.txt
index 0b92f3b0ca..f611ab6b80 100644
--- a/testing/btest/plugins/writer-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/writer-plugin/CMakeLists.txt
@@ -1,7 +1,7 @@
 
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 2.6.3)
+cmake_minimum_required(VERSION 3.5)
 
 if ( NOT ZEEK_DIST )
     message(FATAL_ERROR "ZEEK_DIST not set")

From 219ed305b4286c3fb7b113313b0e4884e6d720c4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 2 Dec 2020 12:04:29 -0800
Subject: [PATCH 32/40] Update submodule(s) [nomail] [skip ci]

---
 auxil/zeek-archiver | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-archiver b/auxil/zeek-archiver
index ab5526dc20..37d9e97833 160000
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@@ -1 +1 @@
-Subproject commit ab5526dc208afc7c876d48167639cbba2b82f8ba
+Subproject commit 37d9e97833aab3e6c24fdeb8c8f5385b878f8290

From 946dfd5d16b3fa97c1b20f6d87847e1c8c5a3cef Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Thu, 3 Dec 2020 00:41:58 +0000
Subject: [PATCH 33/40] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 53208a715f..1c6a57e3b4 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 53208a715f76067e56d7897ac3bbf67aefab72fe
+Subproject commit 1c6a57e3b4a16e3ff8e2e7d208fdf3e974048ffb

From e147692a43f994645dad62f3ebf8e85f1320e17a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 3 Dec 2020 07:55:05 +0000
Subject: [PATCH 34/40] Fix a couple of life-time issues when plugin loading
 fails.

Reported by Coverity.

Follow-up to #1179.
---
 src/plugin/Manager.cc | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 614e100ca1..731c9d9a1c 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -142,6 +142,8 @@ void Manager::SearchDynamicPlugins(const std::string& dir)
 
 bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found, std::vector<std::string>* errors)
 	{
+	errors->clear(); // caller should pass it in empty, but just to be sure
+
 	dynamic_plugin_map::iterator m = dynamic_plugins.find(util::strtolower(name));
 
 	if ( m == dynamic_plugins.end() )
@@ -193,17 +195,19 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 			current_dir = dir.c_str();
 			current_sopath = path;
 			void* hdl = dlopen(path, RTLD_NOW | RTLD_GLOBAL);
+			current_dir = nullptr;
+			current_sopath = nullptr;
 
 			if ( ! hdl )
 				{
 				const char* err = dlerror();
 				errors->push_back(util::fmt("cannot load plugin library %s: %s", path, err ? err : "<unknown error>"));
-				return false;
+				continue;
 				}
 
 			if ( ! current_plugin ) {
 				errors->push_back(util::fmt("load plugin library %s did not instantiate a plugin", path));
-				return false;
+				continue;
 			}
 
 			current_plugin->SetDynamic(true);
@@ -223,17 +227,17 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 			if ( util::strtolower(current_plugin->Name()) != util::strtolower(name) ) {
 				errors->push_back(util::fmt("inconsistent plugin name: %s vs %s",
 						     current_plugin->Name().c_str(), name.c_str()));
-				return false;
+				continue;
 			}
 
-			current_dir = nullptr;
-			current_sopath = nullptr;
 			current_plugin = nullptr;
-
 			DBG_LOG(DBG_PLUGINS, "  Loaded %s", path);
 			}
 
 		globfree(&gl);
+
+		if ( ! errors->empty() )
+			return false;
 		}
 
 	else

From d266e5600b1a2af6db4a90ab10cb6e7947716e6c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 3 Dec 2020 19:09:54 +0000
Subject: [PATCH 35/40] Fix cirrus config for static broker test.

---
 .cirrus.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index a4b11fd81a..fdda43e6da 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -118,7 +118,7 @@ debian10_static_task:
   container:
     # Just uses a recent/common distro to run a static compile test.
     # Debian 10 EOL: June 2024
-    dockerfile: ci/debian-10-static/Dockerfile
+    dockerfile: ci/debian-10/Dockerfile
     << : *RESOURCES_TEMPLATE
   << : *CI_TEMPLATE
   env:

From 04385ab8b246c9f690d95e788a762e4ad48ab200 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 3 Dec 2020 16:33:07 -0800
Subject: [PATCH 36/40] Update NEWS

---
 NEWS | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/NEWS b/NEWS
index 7ab348fb4f..d217946094 100644
--- a/NEWS
+++ b/NEWS
@@ -86,6 +86,36 @@ New Functionality
 
 - Added ``count_to_double()`` and ``int_to_double()`` type-conversion BIFs.
 
+- Added these string-processing BIFs:
+
+  - count_substr
+  - find_str
+  - rfind_str
+  - starts_with
+  - ends_with
+  - is_num
+  - is_alpha
+  - is_alnum
+  - ljust
+  - rjust
+  - swap_case
+  - to_title
+  - zfill
+  - remove_prefix
+  - remove_suffix
+
+- Added a new ``Weird::sampling_global_list`` option to configure global
+  rate-limiting of certain weirds instead of per connection/flow.
+
+- Added a ``Pcap::findalldevs()`` for obtaining available network devices.
+
+- Added ``enum_names()`` BIF to return names of an enum type's values
+
+- Added ``type_aliases`` BIF for introspecting type-names of types/values
+
+- Added composite-index support for ``&backend`` (Broker-backed tables).
+  An example of a set with composite index is ``set[string, count, count]``.
+
 Changed Functionality
 ---------------------
 
@@ -138,6 +168,18 @@ Changed Functionality
   Zeek upgrade anyway, so no part of the usual upgrade process is expected to
   be complicated by this cleanup operation.
 
+- Continued renaming/namespacing of many classes into either ``zeek`` or
+  ``zeek::detail`` namespaces as already explained in Zeek 3.2's release notes.
+  Deprecation warnings should generally help notify plugin developers of these
+  changes.
+
+- Changed HTTP DPD signatures to trigger analyzer independent of peer state.
+
+  This is to avoid missing large sessions where a single side exceeds
+  the DPD buffer size. It comes with the trade-off that now the analyzer
+  can be triggered by anybody controlling one of the endpoints (instead
+  of both).  For discussion, see https://github.com/zeek/zeek/issues/343.
+
 Removed Functionality
 ---------------------
 

From 1a2d48cdd2e74220e6e5f96a3950a73704a9f0d8 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 4 Dec 2020 11:25:51 +0000
Subject: [PATCH 37/40] Update submodule

 [nomail]
---
 auxil/binpac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/binpac b/auxil/binpac
index fefca008f6..5e43149adc 160000
--- a/auxil/binpac
+++ b/auxil/binpac
@@ -1 +1 @@
-Subproject commit fefca008f6ddf7838a11a26480ae2380a23ed0a6
+Subproject commit 5e43149adce0fe3b59f6dd3edacbeb15c37bad28

From bca830b32190f289a75fc87f630e2500a83d32a1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 4 Dec 2020 10:39:03 -0800
Subject: [PATCH 38/40] Update submodule(s) [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 1c6a57e3b4..63264729ec 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 1c6a57e3b4a16e3ff8e2e7d208fdf3e974048ffb
+Subproject commit 63264729ec6d342892a925cd3f003105544ea1d5

From 27ea03db2e9c2187a00fac19da656e279a32bd37 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 4 Dec 2020 11:16:09 -0800
Subject: [PATCH 39/40] Update submodule(s) [nomail]

---
 CHANGES        | 4 ++++
 VERSION        | 2 +-
 auxil/bifcl    | 2 +-
 auxil/binpac   | 2 +-
 auxil/broker   | 2 +-
 auxil/zeek-aux | 2 +-
 auxil/zeekctl  | 2 +-
 cmake          | 2 +-
 8 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2ba5f783ee..e75813a38a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+3.3.0-dev.607 | 2020-12-04 11:16:09 -0800
+
+  * Fix the CMake 'dist' target of Zeek plugins to only run when outdated (Benjamin Bannier, Corelight)
+
 3.3.0-dev.604 | 2020-12-04 18:40:03 +0000
 
   * Sumstats: allow users to manage epoch manually
diff --git a/VERSION b/VERSION
index 7568d39b13..d17636d9d3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.3.0-dev.604
+3.3.0-dev.607
diff --git a/auxil/bifcl b/auxil/bifcl
index 15d4bc6e0b..5a45ae8d0f 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit 15d4bc6e0bbb6bb18ad1d1d82f3fedadc3df05e6
+Subproject commit 5a45ae8d0f61e7ae7fa3ed0ea5841e8347e40926
diff --git a/auxil/binpac b/auxil/binpac
index 5e43149adc..1078f4e9d6 160000
--- a/auxil/binpac
+++ b/auxil/binpac
@@ -1 +1 @@
-Subproject commit 5e43149adce0fe3b59f6dd3edacbeb15c37bad28
+Subproject commit 1078f4e9d6065ae47cf6fca9bd8e98183f913b98
diff --git a/auxil/broker b/auxil/broker
index 7c199d1b31..ab17648f6a 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 7c199d1b318d2418a2607fadf73108f4b02d4eb3
+Subproject commit ab17648f6acfdd44c34d11227892da2e1ab9bec5
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 5f7e85351e..037bd04115 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 5f7e85351e8f44b107046d190758c0bc16e44d6b
+Subproject commit 037bd04115ee0176536d85374f39980a45e9ff92
diff --git a/auxil/zeekctl b/auxil/zeekctl
index 8a6247d25a..0abed02b22 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit 8a6247d25af54af9de3e30e791f6bd6e71cb7159
+Subproject commit 0abed02b22f75d40d8c089fa1185681a6a9ee6d6
diff --git a/cmake b/cmake
index a9dfaa841c..40251ae850 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit a9dfaa841c589cf02097528ed320efa5ea80586e
+Subproject commit 40251ae850dee52eae8eb05e552c165e2deef354

From 24bbadcd0a57c256da3b14215d7a91103880074e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 4 Dec 2020 13:06:05 -0800
Subject: [PATCH 40/40] Update submodule(s) [nomail] [skip ci]

---
 auxil/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/broker b/auxil/broker
index ab17648f6a..8899280694 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit ab17648f6acfdd44c34d11227892da2e1ab9bec5
+Subproject commit 8899280694d8d5ad3aaa0a03cc99e4c3d3fd7887