Dear Andrew, all, Comments inline: Andrew Johnson wrote:
Gerhard Muenz wrote:In the psamp-info draft, there is an IE for IP payload, L2 payload and MPLS payload. Are there any reasons for not having a similar IE for transport layer payload, e.g. udp|tcpPayloadPacketSection or a generic transportPayloadPacketSection?A generic transport payload IE is not feasible because to implement properly an implementation would have to understand and parse all transport protocols, including ones which are yet to be defined.
I thought of a generic transportPayloadPacketSection similar to the sourceTransportPort that exists besides udp|tcpTransportPort. In any case, a monitor would only export the information it is able to retrieve from a packet.
Apart from the generic type, is there any argument against IEs for udp|tcpPacketPayloadSection? Since IEs for almost all UDP/TCP header fields exist, the payload type would cover the remaining unparsed packet data.
At this time, it is expected that the IP payload type will be sufficient because correct interpretation of the transport payload will most likely require much of the information from the transport header, and the IP payload IE will provide both.
The IP payload type is sufficient but inefficient if you are not interested in the whole transport header but only in some specific fields (such as port numbers). In this case you would export much more data than you need.
If you, or anyone, has an application that would require that PSAMP be extended in some way then please mail the list details of the application and we can discuss the best way to address the requirements, possibly requesting new IEs as needed. Don't forget, however, that new IEs can be requested at any time in the future, so we don't have to cover all cases right now.
An application I'm working on is signature detection on sampled packets. Regards, Gerhard -- Dipl.-Ing. Gerhard Münz Computer Networks and Internet Wilhelm Schickard Institute for Computer Science, University of Tuebingen Auf der Morgenstelle 10C 9P16, D-72076 Tuebingen, Germany Phone: +49 7071 29-70534 / Fax: +49 7071 29-5220 EMail: muenz@informatik.uni-tuebingen.de WWW: http://net.informatik.uni-tuebingen.de/~muenz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature