Cisco Cisco Firepower Management Center 4000 Developer's Guide
B-78
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Connection Data Structures
The following table describes the fields of the operating system fingerprint data block.
Legacy Connection Data Structures
For more information, see the following sections:
•
•
•
•
•
•
Connection Statistics Data Block 5.0 - 5.0.2
The Connection Statistics data block is used in Connection Data messages. The Connection Statistics
data block for version 5.0 - 5.0.2 has a block type of 115.
data block for version 5.0 - 5.0.2 has a block type of 115.
For more information on the Connection Statistics Data message, see
Table B-18
Operating System Fingerprint Data Block Fields
Field
Data Type
Description
Operating
System
Fingerprint Data
Block Type
System
Fingerprint Data
Block Type
uint32
Initiates the operating system data block. This value is always
87
.
Operating
System Data
Block Length
System Data
Block Length
uint32
Number of bytes in the Operating System Fingerprint data block. This
value should always be
value should always be
41
: eight bytes for the data block type and
length fields, sixteen bytes for the fingerprint UUID value, four bytes
for the fingerprint type, four bytes for the fingerprint source type, four
bytes for the fingerprint source ID, four bytes for the last seen value,
and one byte for the TTL difference.
for the fingerprint type, four bytes for the fingerprint source type, four
bytes for the fingerprint source ID, four bytes for the last seen value,
and one byte for the TTL difference.
Fingerprint
UUID
UUID
uint8[16]
Fingerprint identification number, in octets, that acts as a unique
identifier for the operating system. The fingerprint UUID maps to the
operating system name, vendor, and version in the vulnerability
database (VDB).
identifier for the operating system. The fingerprint UUID maps to the
operating system name, vendor, and version in the vulnerability
database (VDB).
Fingerprint Type
uint32
Indicates the type of fingerprint.
Fingerprint
Source Type
Source Type
uint32
Indicates the type (i.e., user or scanner) of the source that supplied the
operating system fingerprint.
operating system fingerprint.
Fingerprint
Source ID
Source ID
uint32
Indicates the ID of the source that supplied the operating system
fingerprint.
fingerprint.
Last Seen
uint32
Indicates when the fingerprint was last seen in traffic.
TTL Difference
uint8
Indicates the difference between the TTL value in the fingerprint and
the TTL value seen in the packet used to fingerprint the host.
the TTL value seen in the packet used to fingerprint the host.