Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

4-40

FireSIGHT eStreamer Integration Guide

Chapter 4 Understanding Discovery & Connection Data Structures

Metadata for Discovery Events

Client Application Messages

New Client Application, Client Application Update, and Client Application Timeout events have the
same format and contain a standard discovery event header (as documented in

Discovery Event Header

5.2+, page 4-32

) followed by a Client Application data block (see

Host Client Application Data Block

for 5.0+, page 4-138

, block type 122 in series 1). The discovery event header has a different record type,

event type, and event subtype, depending on the event transmitted.

Note

The Client Application data block differs depending on the system version that created the message. For
information on the legacy version of the Client Application data block, see

Understanding Legacy Data

Structures, page B-1

IP Address Change Message

The following host discovery messages have a standard discovery event header (as documented in

Discovery Event Header 5.2+, page 4-32

) and two different forms, structures, one with four bytes for the

IP address and one with 16 bytes for the IP address.

Four bytes are used for the IP address (in IP address octets) in the following case:

•

New IPv4 to IPv4 Traffic

•

Host IP Address Changed, when the RNA event version is less than 10

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Discovery Event Header

Client Application Data Block

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Discovery Event Header

IP Address