IMO per-packet payloads would not belong in the "flow" extension, they would go into a "packet" extension (of which one could make a list). A flow is a different concept than a simple collection of packets.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown 
"Kirillov, Ivan A." ---06/14/2016 06:24:56 PM---The Network Connection Object is finally ready for review: https://docs.google.com/document/d/1oPAHN
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/14/2016 06:24 PM
Subject: [cti-cybox] For review: Network Connection Object
Sent by: <cti-cybox@lists.oasis-open.org>
The Network Connection Object is finally ready for review: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.rgnc3w40xy
There are a number of open questions around this Object, including the following:
- Right now all fields are optional - should any be required?
- Should protocols be broken down by OSI layer, as in the current implementation?
- Things like IP don’t fit cleanly into the OSI model
- Does the initial collection of extensions make sense?
- Are any missing?
- Should the HTTP extension also characterize responses? At the moment it only characterizes HTTP requests.
- The flow extension currently captures an entire network connection payload - should we consider capturing per-packet payloads as well?
Regards,
Ivan