Transform rm_client_from_dns_resp {
  Match (dns_resp=1, client) Replace (dns_resp=1);
};

Pdu dns_pdu Proto dns Transport ip {
  Extract addr From ip.addr;
  Extract dns_id From dns.id;
  Extract dns_resp From dns.flags.response;
  Extract host From dns.qry.name;
  Extract client From ip.src;
  Transform rm_client_from_dns_resp;
};

Gop dns_req On dns_pdu Match (addr,addr,dns_id) {
  Start (dns_resp=0);
  Stop (dns_resp=1);
  Extra (host, client);
};

Transform rm_client_from_http_resp1 {
  Match (http_rq);
  Match Every (addr) Insert (not_rq);
};

Transform rm_client_from_http_resp2 {
  Match (not_rq, client) Replace ();
};

Pdu http_pdu Proto http Transport tcp/ip {
  Extract addr From ip.addr;
  Extract port From tcp.port;
  Extract http_rq From http.request.method;
  Extract http_rs From http.response;
  Extract host From http.host;
  Extract client From ip.src;
  Transform rm_client_from_http_resp1, rm_client_from_http_resp2;
  DiscardPduData true;
};

Gop http_req On http_pdu Match (addr, addr, port, port) {
  Start (http_rq);
  Stop (http_rs);
  Extra (host, client);
};

Gog http_use {
  Member http_req (host, client);
  Member dns_req (host, client);
  Expiration 0.75;
};

Done;