Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
4-43
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
Hops Change Message
A Hops Change event message has a standard discovery event header (as documented in
) followed by a one-byte field for the hops count.
TCP and UDP Port Closed/Timeout Messages
TCP and UDP Port Closed and Port Timeout event messages have a standard discovery event header (as
documented in
documented in
) followed by a two-byte field for the port
number.
MAC Address Messages
MAC Information Change and Additional MAC Detected for Host messages have a standard discovery
event header (as documented in
event header (as documented in
), 1 byte for the TTL value, 6
bytes for the MAC address, and 1 byte to indicate whether the MAC address was detected via
ARP/DHCP traffic as the actual MAC address.
ARP/DHCP traffic as the actual MAC address.
Note
If you receive MAC address messages from a system running version 4.9.x, you must check for the
length of the MAC address data block and decode accordingly. If the data block is 8 bytes in length (16
bytes with the header), see
length of the MAC address data block and decode accordingly. If the data block is 8 bytes in length (16
bytes with the header), see
. If the data block is 12 bytes in length
(20 bytes with the header), see
Note that the MAC address data block header is not used within MAC Information Change and
Additional MAC Detected for Host messages.
Additional MAC Detected for Host messages.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Discovery Event Header
Hops
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Discovery Event Header
Port