Feature #4159
open
Log flow age as fractional value
Added by Sascha Steinbiss over 3 years ago.
Updated over 3 years ago.
Description
At the moment, flow.age in EVE JSON is an integer value in seconds. This is likely to be too coarse a resolution to properly describe short-lived flows. It would be better to have more precise, fractional values in this field, down to sub-second resolution. Looking at the flow.start and flow.end values, the necessary timestamps should be available.
Would this change the type of the field in json?
Sascha Steinbiss wrote in #note-2:
Indeed it would!
Just took another look at the JSON RFC, and it actually, strictly speaking, does not change the type, since JSON only defines numbers, which may or may not have a fractional part. See https://tools.ietf.org/html/rfc8259#section-6 -- this means that we should be fine with this change as long as EVE-consuming parties do not make assumptions about the number format in that field that are more strict than the JSON standard.
I'd see this as low risk. What do others think?
Yes, in theory this should be fine. Every JSON parser I've used parses numbers in JSON as floats. However, just looking at the Filebeat Suricata module, it post-processes flow.age to a long. This might not be a problem, or it might. I'll try to test at some point.
Jason Ish wrote in #note-4:
Yes, in theory this should be fine. Every JSON parser I've used parses numbers in JSON as floats. However, just looking at the Filebeat Suricata module, it post-processes flow.age to a long. This might not be a problem, or it might. I'll try to test at some point.
That would be great, thanks!
Also available in: Atom
PDF