Cisco Cisco Firepower Management Center 2000 Guia Do Programador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

297

Understanding Discovery & Connection Data Structures

Host Discovery and Connection Data Blocks

Chapter 4

Host MAC Address 4.9+

The host MAC address data block has a block type of 95 in the series 1 group of 

blocks. The block includes the time-to-live value for the host data, as well as the 

MAC address, the primary subnet of the host, and the last seen value for the 

host. 
The following diagram shows the format of a host MAC address data block in 

4.9+.

The 

 table describes the fields of the Host 

MAC Address data block.

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Host MAC Address Block Type (95)

Host MAC Address Block Length

TTL

MAC Address

MAC Address, cont.

Primary

Last Seen

Host MAC Address Data Block Fields 

Host MAC 

Address Data 

Block Type

uint32

Initiates the Host MAC Address data block. This 

value is always 95.

Host MAC 

Address Data 

Block Length

uint32

Number of bytes in the Host MAC Address data 

block. This value should always be 20: eight 

bytes for the data block type and length fields, 

one byte for the TTL value, 6 bytes for the MAC 

address, one byte for the primary subnet, and 

four bytes for the last seen value.

TTL

uint8

Indicates the difference between the TTL value 

in the packet used to fingerprint the host.

MAC Address

uint8 [6]

Indicates the MAC address of the host.

Primary

uint8

Indicates the primary subnet of the host.

Last Seen

uint32

Indicates when the host was last seen in traffic.