Description
Summary
Add common network tcp and udp specific fields (eg. window size, ttl, Acknowledgement Number, Sequence Number, UDP length)
Motivation:
We receive flowmon and other netflow v10 / IPFIX data in Elastic. We could add custom fields (e.g nework.tcp.window or network.tcp.ack) but we would like to have a ECS definition that everybody uses.
I see there are already specific fields defined for iptables. So, why not add them officially to ECS?
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html#_tcp_2
e.g.
iptables.tcp.window type: long
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html#_udp
e.g.
iptables.udp.length type: long
Then there are also the same fields defined for netflow:
netflow.tcp_window_size type: integer
or netflow.udp_message_length type: integer
in https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
Detailed Design:
I think we should have a common (as in Elastic Common Schema) "global" field in network https://www.elastic.co/guide/en/ecs/current/ecs-network.html and not multiple ones of multiple types
network.udp.lengthnetwork.tcp.acknetwork.tcp.window- We should use the same datatype allover but for window size ("maximum effective TCP Window Size can be 16384 * 65535 bytes = 1,073,725,440 bytes, that is, one gigabyte.") so integer should be enough, we don't need long.
- Any example events that map to the proposed use case(s)
- I can provide netflows, iptables, etc.