request for a new transport field in source / client / server

[jiriatipteldotorg]

Folks,

I'm wondering if you could consider including a new field, transport, in the source / client / serve specifications.

There are several application protocols, for example SIP or DOTS, that use multiple transport protocols (UDP, TCP, SCTP). The field would allow to discriminate flows over different transport protocols.

The actual specification could be the same as in network.

    - name: transport
      level: core
      type: keyword
      short: Protocol Name corresponding to the field `iana_number`.
      description: >
        Same as network.iana_number, but instead using the Keyword name of the
        transport layer (udp, tcp, ipv6-icmp, etc.)

        The field value must be normalized to lowercase for querying. See
        the documentation section "Implementing ECS".
      example: tcp

[webmat]

Hi! Thanks for the suggestion.

Could you flesh out an example (e.g. with simple JSON objects) that would show how you envision this to work?

Another thought, I assume you're talking about wrapping one protocol into another? Wouldn't it be better to e.g. define network.transport as the wrapping protocol, and a second field under network to represent the embedded protocol?

If we were to add transport to the network endpoints (src/dst or cli/srv), what would be the semantics? Always fill both source.transport == destination.transport? Or are there cases where only one side would be filled?