Discovery made easy

What is Discovery? The easiest way to sum up Discovery is to say that it's a set of conventional (and common) techniques used to extract information from computers and other devices.

The techniques used are nothing new and have been around for years. In fact, some are over 10 years old. (e.g., SSH - Secure Shell on UNIX).

The Census Agent

Discovery is like the United States Census - the government headcount that sends census agents to your door to gather information about your household - such as how many people live there and whether you have been to college. The census agents report their findings back to the government, who puts all the data into a database. That’s exactly what Discovery does, but instead of a census agent, we use an agent called a MID Server.

Before a census agent can survey a neighborhood, he needs to know where to go. So does the MID Server. However, the MID Server doesn't quite understand a street address, but instead understands IP addresses. An IP address (for example, 34.237.9.72) is the address to a computer on a network. The census agent can use your address to get to your house just fine, but when he arrives he needs some kind of identification or badge so that you will talk to him. In the Internet world, this identification is known as credentials. Access to computers is normally granted to you if you have the correct credentials - a user name and password.

What have we learned so far? Before we can discover anything, we need:
  • A MID Server
  • IP addresses
  • Credentials

This is simple enough. After we configure Discovery, we need to start working. Nothing gets accomplished if the census agent doesn’t start knocking on some doors. The next step is to have our MID Server start knocking on doors. The MID Server finds the devices it needs to question by using the IP addresses it was given.

When it visits a device, the MID Server attempts to question the device about what language it speaks. A census agent would probably ask the person at the door what language they speak in their home. To achieve this, our MID Server does a simple port scan. It scans a few commonly known ports to determine what kind of operating system the device uses. For example, the MID Server checks to see if port 22 is listening.

What does this mean? When a device is online and communicating with other devices, it usually does this using a protocol called TCP/IP (or just TCP for short). TCP uses ports to establish a connection and communicate. For example, Web sites usually run on port 80. When you type in www.google.com, you're connecting to that address via port 80. Using this example, if we scan a device's ports and determine that it is listening on port 80, we can assume that it's running a Web server/Web site. We use this same approach to determine what kind of operating system the device is using. Back to port 22 – that's the port most UNIX or Linux machines use for their command line administrator. So we know that if a device is listening on port 22, the odds are pretty good that it's a UNIX or Linux machine. We use the same approach for Windows, which listens on port 135.

Once we've determined the operating system, we can talk the talk and communicate with the device using its own native language. For UNIX we use SSH (Secure Shell), and for Windows we use WMI (Windows Management Instrumentation). For other devices like Netgear (routers and switches) and printers, we use SNMP. So now we know what kind of operating system the device has, and we know what language to speak. Now we need to ask it some questions.
Figure 1. Discovery Class

The census agent would probably ask questions like "How many kids do you have?" or "How much money do you make?" The MID Server needs to ask questions like "What version of Windows are you running?", "How much RAM do you have?", and "How fast are you?" The MID Server ask these questions with probes. When a MID Server runs a probe, it's basically asking a question. Asking the question is only half of the work, however. The other half is writing it down or translating it into terms that ServiceNow can understand. We do this by using sensors. The sensor is the part of the process that analyzes and records the data. The probe's job is simply to ask the questions and pass the information along to the sensor, which properly translates the response.