> On 16 May 2023, at 06:46, Matthew Petach <mpetach@netflight.com> wrote:
> [..]
> I admit, I'm perhaps a little behind on the latest netflow whiz-bangs,
> but I've never seen a netflow record type that included HTTP cookies
> or PCAP data before.
Take your pick from the "latest" ~2009 IPFIX Information Elements:
https://www.iana.org/assignments/ipfix/ipfix.xhtml
One can stuff almost anything in there.
Now if one should, and if one is allowed to.....
313 | ipHeaderPacketSection | octetArray | default | current | This Information Element carries a series of n octets from the IP header of a sampled packet, starting sectionOffset octets into the IP header. However, if no sectionOffset field corresponding to this Information Element is present, then a sectionOffset of zero applies, and the octets MUST be from the start of the IP header. With sufficient length, this element also reports octets from the IP payload. However, full packet capture of arbitrary packet streams is explicitly out of scope per the Security Considerations sections of [RFC5477] and [RFC2804]. |