[Packetbeat] Provide a feature to correlate a host that uses multiple mac addresses within a packet flow

[geekpete]

Describe the enhancement:

Currently traffic flows only consider individual mac addresses. This can create problems where one host with multiple mac addresses looks uncorrelated when the request or response appears unmatched at the mac address level.

The enhancement would provide a way to match or correlate the multiple mac addresses to the host to allow seeing them as one entity within a flow or the ability to look at flows from a level above mac addresses as an option.

Describe a specific use case for the enhancement or feature:

A specific example might be the Security solution with alerting where flows involving different/multiple mac addresses for outbound vs inbound packets that are actually macs on the same host can trigger a false positive for detection rules.

** Workarounds **

Network channel bonding might provide a solution where multiple interfaces can appear as a single mac but this might solve some problems at the expense of creating different problems depending on the particular architecture/configuration.

** Other Notes **

The Linux team has been added as a security label as it's likely the most common usage, but Windows and Mac could also see scenarios where multiple macs on a single host could hit the issue, so the labels might need review for this issue.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)