Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
3-4
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Packet Record 4.8.0.2+
The eStreamer service transmits the packet data associated with an event in a Packet record, the format
of which is shown below. Packet data is sent when the Packet flag—bit 0 in the Request Flags field of a
request message—is set. See
of which is shown below. Packet data is sent when the Packet flag—bit 0 in the Request Flags field of a
request message—is set. See
. If you enable bit 23, an extended event header
is included in the record. Note that the Record Type field, which appears after the Message Length field,
has a value of
has a value of
2
, indicating a packet record.
The following table describes the fields in the Packet record.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (2)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Device ID
Event ID
Event Second
Packet Second
Packet Microsecond
Link Type
Packet Length
Packet Data...
Table 3-2
Packet Record Fields
Field
Data Type
Description
Device ID
uint32
The device identification number. You can obtain device names that
correlate to them by requesting Version 3 or 4 metadata. See
correlate to them by requesting Version 3 or 4 metadata. See
for more information.
Event ID
uint32
The event identification number.
Event Second
uint32
The second (from 01/01/1970) that the event occurred.
Packet Second
uint32
The second (from 01/01/1970) that the packet was captured.