diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index ba6a91a644b..46d2bc8675f 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -403,6 +403,13 @@ export {
 		## cross-references the *uid* field of :zeek:type:`connection`.
 		uid: string &optional;
 	} &log;
+
+	## The number of tunnel_changed events that will be sent for a connection. Once this
+	## limit is hit, no more of those events will be sent to avoid a large number of events
+	## being sent for connections that regularly swap. This can be set to zero to disable
+	## this limiting.
+	const max_changes_per_connection: count = 5 &redef;
+
 } # end export
 module GLOBAL;
 
diff --git a/src/Conn.cc b/src/Conn.cc
index 1c9a6247f4e..59052c2cb99 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -96,8 +96,13 @@ void Connection::CheckEncapsulation(const std::shared_ptr<EncapsulationStack>& a
 		{
 		if ( *encapsulation != *arg_encap )
 			{
-			if ( tunnel_changed )
+			if ( tunnel_changed &&
+			     (zeek::detail::tunnel_max_changes_per_connection == 0 ||
+			      tunnel_changes < zeek::detail::tunnel_max_changes_per_connection) )
+				{
+				tunnel_changes++;
 				EnqueueEvent(tunnel_changed, nullptr, GetVal(), arg_encap->ToVal());
+				}
 
 			encapsulation = std::make_shared<EncapsulationStack>(*arg_encap);
 			}
diff --git a/src/Conn.h b/src/Conn.h
index 960df181296..ca7c0eeeba4 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -265,6 +265,7 @@ class Connection final : public session::Session
 	int suppress_event; // suppress certain events to once per conn.
 	RecordValPtr conn_val;
 	std::shared_ptr<EncapsulationStack> encapsulation; // tunnels
+	uint8_t tunnel_changes = 0;
 
 	detail::ConnKey key;
 
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 3d66da09901..586b81c07e5 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -193,6 +193,8 @@ int record_all_packets;
 
 bro_uint_t bits_per_uid;
 
+bro_uint_t tunnel_max_changes_per_connection;
+
 	} // namespace zeek::detail. The namespace has be closed here before we include the netvar_def
 	  // files.
 
@@ -343,6 +345,9 @@ void init_net_var()
 	dpd_match_only_beginning = id::find_val("dpd_match_only_beginning")->AsBool();
 	dpd_late_match_stop = id::find_val("dpd_late_match_stop")->AsBool();
 	dpd_ignore_ports = id::find_val("dpd_ignore_ports")->AsBool();
+
+	tunnel_max_changes_per_connection =
+		id::find_val("Tunnel::max_changes_per_connection")->AsCount();
 	}
 
 	} // namespace zeek::detail
diff --git a/src/NetVar.h b/src/NetVar.h
index 3f8e11bac08..e3c3521c7e5 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -94,6 +94,8 @@ extern int record_all_packets;
 
 extern bro_uint_t bits_per_uid;
 
+extern bro_uint_t tunnel_max_changes_per_connection;
+
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();