Add IP-layer byte counts (ip_bytes, ip_bytes_in, ip_bytes_out) to network_traffic#1673
Open
flying-coyote wants to merge 2 commits into
Open
Add IP-layer byte counts (ip_bytes, ip_bytes_in, ip_bytes_out) to network_traffic#1673flying-coyote wants to merge 2 commits into
flying-coyote wants to merge 2 commits into
Conversation
…work_traffic The Network Traffic object's bytes/bytes_in/bytes_out are defined as payload byte counts. There is no attribute for the IP-layer byte count (payload plus IP and transport headers), which common network sensors emit as a distinct value: Zeek conn.log reports both orig_bytes/resp_bytes (payload) and orig_ip_bytes/resp_ip_bytes (IP-layer) for every connection. Today a producer must drop the IP-layer count or overload bytes_*, which breaks consumers that assume bytes_* is payload. This adds ip_bytes, ip_bytes_in, ip_bytes_out to objects/network_traffic.json and the dictionary, paralleling the existing payload trio with descriptions that state the distinction. Direction matches bytes_in/bytes_out (in = destination to source, out = source to destination). All optional, long_t. Follows the precedent of ocsf#1316, which added Zeek-derived history/missing_bytes to the same object. Signed-off-by: flyingcoyote <flyingcoyote@gmail.com>
flying-coyote
requested review from
Aniak5,
davemcatcisco,
floydtree,
jonrau-at-queryai,
mikeradka,
pagbabian-splunk and
zschmerber
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Network Traffic object's
bytes/bytes_in/bytes_outare defined in the dictionary as payload byte counts (bytes_in= "bytes sent from the destination to the source"). There is no attribute for the IP-layer byte count — payload plus the IP and transport (TCP/UDP) headers — which common network sensors emit as a distinct value.The most widely deployed open network sensor, Zeek, reports both for every connection in
conn.log:orig_bytes/resp_bytes— payload bytesorig_ip_bytes/resp_ip_bytes— IP-layer bytes (header-inclusive)Today a producer mapping Zeek (or any sensor with IP-layer counters) must either drop the IP-layer count or overload
bytes_*with it, which silently breaks any consumer that assumesbytes_*is payload, and makes the two byte models non-comparable across producers.Change
Adds three attributes to
objects/network_traffic.json(and the dictionary), mirroring the existing payload trio so the object stays symmetric:conn.log)ip_bytes_outorig_ip_bytesip_bytes_inresp_ip_bytesip_bytesbytes_in/bytes_out(in = destination → source, out = source → destination).long_t,requirement: optional.bytes_*so the difference is unambiguous in the rendered schema.Precedent
Follows #1316, which added the Zeek-derived
historyandmissing_bytesattributes to the same object — this fills the remaining IP-byte gap on that path.