Does the file analysis framework support analyzing files over POP3?

Hello all,
    I tried to do file analysis over the POP3 protocol via the file analysis framework.

    Following the, I first tested if it can trigger event file_sniff and file_hash, the script are simply copied from the doc ( as:

event file_sniff(f: fa_file, meta: fa_metadata)
    if ( ! meta?$mime_type ) return;
    print "new file", f$id;
    if ( meta$mime_type == "text/plain" )
        Files::add_analyzer(f, Files::ANALYZER_MD5);

event file_hash(f: fa_file, kind: string, hash: string)
    print "file_hash", f$id, kind, hash;

    I tested the above script on, with a test pop3 pcap file from The pcap file contains a pdf file attachment.

    However, when I ran the script on the pcap file, the result shows it didn't detect any files, the files and active files of the stat.log are both 0. It seems to me that the events didn't trigger at all.

    But if I tried the same script with some other pcap files, for example, the also provides a http.pcap for exercise, the script outputs are as expected.

    So I wonder what I did wrong or currently the fa framework doesn't support analyzing over pop3 at all?

    The zeek I tested is lts 4.0.0 version, thanks for help!

Maofei Chen