[pcap-ng-format] Proposal for new EPB Option: Flow ID (4 of 4)
Michael Haney
michael-haney at utulsa.edu
Thu Aug 27 06:20:51 UTC 2015
I'd like to propose the following new Flow Option for the EPB
(dependent on the Flow Block):
Name: epb_flowid
Code: 5
Length: 0x0014 (20 bytes)
Description:
This option provides a means of tagging a packet with its unique flow
identifier. This can be designed in a number of different ways, but the
most
straightforward is to establish a flow counter in the sniffing software or
hardware where flow state is being tracked. As packets are identified as
belonging to a specific flow, the flow identifier is added to each Enhanced
Packet Block as an option. Flow Blocks are the way to associate flow
metadata
with a flow identifier. If flow-based processing is used as part of a
recording
effort and encryption is used, the flow ID is stored in the clear as part
of
the Encrypted Block. If encryption is not used, this option can be appended
to
the EPB to track the flow. Flow IDs should be a multiple of 32 bits or be
padded
with null bits to the next 32-bit boundary.
<artwork>
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| epb_flowid_code = 0x0005 | option length (var) = 0x0014 |
+---------------------------------------------------------------+
/ /
/ /
/ Flow Identifier (variable e.g. 160-bits) /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Other Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| end_of_options = 0x0000 | options_length = 0x0000 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Total Length |
+---------------------------------------------------------------+
</artwork>
Regards,
Michael
More information about the pcap-ng-format
mailing list