network tcp windows and other missing

[zez3]

Summary

Add common network tcp and udp specific fields (eg. window size, ttl, Acknowledgement Number, Sequence Number, UDP length)

Motivation:

We receive flowmon and other netflow v10 / IPFIX data in Elastic. We could add custom fields (e.g nework.tcp.window or network.tcp.ack) but we would like to have a ECS definition that everybody uses.

I see there are already specific fields defined for iptables. So, why not add them officially to ECS?
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html#_tcp_2
e.g.
iptables.tcp.window type: long

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html#_udp
e.g.
iptables.udp.length type: long

Then there are also the same fields defined for netflow:
netflow.tcp_window_size type: integer
or netflow.udp_message_length type: integer
in https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html

Detailed Design:

I think we should have a common (as in Elastic Common Schema) "global" field in network https://www.elastic.co/guide/en/ecs/current/ecs-network.html and not multiple ones of multiple types

• network.udp.length network.tcp.ack network.tcp.window
• We should use the same datatype allover but for window size ("maximum effective TCP Window Size can be 16384 * 65535 bytes = 1,073,725,440 bytes, that is, one gigabyte.") so integer should be enough, we don't need long.
• Any example events that map to the proposed use case(s)
  - I can provide netflows, iptables, etc.

[zez3]

https://www.elastic.co/guide/en/elasticsearch/reference/current/number.html

[zez3]

@ruflin

any thoughts on this?

can you please 🙏 assign a team, not sure if Integration team is responsible for this