Cisco Cisco Firepower Management Center 4000 Developer's Guide
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
212
Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
Chapter 4
TCP and UDP Port Closed/Timeout Messages
TCP and UDP Port Closed and Port Timeout event messages have a standard
discovery event header (as documented in
page 198) followed by a two-byte field for the port number.
MAC Address Messages
MAC Information Change and Additional MAC Detected for Host messages have
a standard discovery event header (as documented in
on page 198), 1 byte for the TTL value, 6 bytes for the MAC address, and 1
byte to indicate whether the MAC address was detected via ARP/DHCP traffic as
the actual MAC address.
IMPORTANT!
If you receive MAC address messages from a system running
version 4.9.x, you must check for the length of the MAC address data block and
decode accordingly. If the data block is 8 bytes in length (16 bytes with the
header), see
on page 212. If the data block is 12 bytes in
length (20 bytes with the header), see
Note that the MAC address data block header is not used within MAC
Information Change and Additional MAC Detected for Host messages.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Discovery Event Header
Port
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Discovery Event Header
TTL
MAC Address
ARP/DHCP