> On Jan 19, 2016, at 1:12 PM, James Lay <jlay at slave-tothe-box.net> wrote: > > I can see the field in full packet captures. Any hints on what I'm > missing? Thank you. Could you privately send along a couple of headers that it's messing up? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/