Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
297
Understanding Discovery & Connection Data Structures
Host Discovery and Connection Data Blocks
Chapter 4
Host MAC Address 4.9+
The host MAC address data block has a block type of 95 in the series 1 group of
blocks. The block includes the time-to-live value for the host data, as well as the
MAC address, the primary subnet of the host, and the last seen value for the
host.
The following diagram shows the format of a host MAC address data block in
The following diagram shows the format of a host MAC address data block in
4.9+.
The
table describes the fields of the Host
MAC Address data block.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Host MAC Address Block Type (95)
Host MAC Address Block Length
TTL
MAC Address
MAC Address, cont.
Primary
Last Seen
Host MAC Address Data Block Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Host MAC
Address Data
Block Type
uint32
Initiates the Host MAC Address data block. This
value is always 95.
Host MAC
Address Data
Block Length
uint32
Number of bytes in the Host MAC Address data
block. This value should always be 20: eight
bytes for the data block type and length fields,
one byte for the TTL value, 6 bytes for the MAC
address, one byte for the primary subnet, and
four bytes for the last seen value.
TTL
uint8
Indicates the difference between the TTL value
in the packet used to fingerprint the host.
MAC Address
uint8 [6]
Indicates the MAC address of the host.
Primary
uint8
Indicates the primary subnet of the host.
Last Seen
uint32
Indicates when the host was last seen in traffic.