Port probes

Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.

When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, and SNMP in the base system have priority numbers that control the order in which they are launched.

In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (e.g. SSH and SNMP).

Port Probe Form

To access the Port Probe form, navigate to Discovery Definition > Port Probes.
The Port Probe form provides the following fields:
Table 1. Port Probes
Field Input Value
Name Simple name for the port probe that reflects its function (e.g. snmp).
Description Definition of the acronym for the protocol. (e.g. ssh is Secure Shell Login).
Scanner Shazzam techniques for exploring a port. Some of these are protocol specific, and others are generic. For example, a WMI port probe will use a Scanner value of Generic TCP, and the snmp port probe uses a value of SNMP.
Active Indicates whether this port probe is enabled or disabled.
CIs Indicates whether this port probe is enabled or disabled for discovering "Configuration Items".
IPs Indicates whether this port probe is enabled or disabled for discovering "IP addresses".
Triggered by services Indicates which services define the port usage. Use this setting to define non-standard port usage and pair the port number with the protocol.
Triggers probe Indicates which probe is triggered by the results of this port probe. This is the name of the appropriate classify probe.
Use classification Names the appropriate classification table, based on the protocol being explored.
Classification priority Establishes the priority in which this port probe runs. If the first port probe fails, then the next probe runs on the device, and so forth, until the correct data is returned. This allows for the proper classification of a device that has two running protocols, such as SSH and SNMP. The default priorities for the Discovery protocols are:
  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP
Supplementary Launches supplementary classifications after a higher-priority identification succeeds, once again in order of priority.
Conditional Runs this port probe if any one of the non-conditional probes return an open port. The conditional port probes in the out-of-box system attempt to resolve the names of Windows devices and DNS names. These ports probes take additional resources and are not used unless activity is detected on open ports.
Script Script to run.

Selective port probe scanning

The order in which Port Probes are run is now prioritized by protocol. Prioritization enables the proper classification of devices that have two protocols running, such as SSH and SNMP, without having to create a complex Discovery Behavior. Previously (in Basic discoveries), Discovery launched all port probes at once and attempted to classify devices based on the activity returned for any protocol. The common protocols WMI, SSH, and SNMP in the out-of-box system now are assigned configurable priority numbers that control the order in which they are launched. The WMI probe is launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched. The SNMP probe is the last to launch, after the other port probes have failed.

The field called Classification priority was added to the Port Probe form. The out-of-box system prioritizes the use of port probes as follows:

  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP

The WMI port probe runs first and then the WinRM probe. If WMI or WinRM activity is detected on a device, the Windows - Classify probe is launched (and no other port probes). If no WMI or WinRM activity is detected, Shazzam runs the SSH probe. If Shazzam successfully detects SSH activity, the UNIX classifier is launched. The SNMP port probe is launched only if no WMI or SSH activity is detected on a device. This ensures that the correct classifier probe is launched and the correct device data is returned.

Shazzam probe, port probes, and protocols

Port scanning is the first step in the Discovery process. The Shazzam probe performs port scanning, regardless of whether you use patterns for horizontal discovery. The following table lists the known ports and protocols used by Discovery.

Several port probes are available in the base system. Each port probe uses an IP Service, which is a record that tells Discovery which port to use for a specific protocol. Review this table before you block any ports with a firewall.
Caution: Make sure that you do not block any ports that Discovery needs.
Table 2. Default port probes and default IP services
Default port probe name Deafult classification Default IP Service, protocol and port
dns Process Classification [discovery_classy_proc] dns (port 53)
http HTTP Classification [discovery_classy_http] http (port 80) and https (port 443)
ip_phone SNMP Classification [discovery_classy_snmp] sip (port 5060)
osx Scan Results Application Classifier [discovery_classy_scan_app] afp (port 548)
printer Scan Results Application Classifier [discovery_classy_scan_app] hp-pdl-datastr (port 9100) and printer (port 515)
slp Process Classification [discovery_classy_proc] slp (port 427)
snmp SNMP Classification [discovery_classy_snmp] snmp (port 161)
ssh UNIX Classification [discovery_classy_unix] ssh (port 22)
vmapp Application Classification [discovery_classy_appl] vmapp_https (port 5,480) and vmapp6_https (port 9,443)
wbem CIM Classification [discovery_classy_cim] wbem_https (port 5989)
winrm Windows Classification [discovery_classy_windows] winrm (port 5,985) and winrm_ssl (port 5,986)
wins Process Classification [discovery_classy_proc] ms-nb-ns (port 137)
wmi Windows Classification [discovery_classy_windows] epmap (port 135)

This table shows you other common ports and protocols that Discovery uses.

Table 3. Discovery ports and protocols
Name Service name Port Details Creates Protocol
afp Apple File Protocol 548 TCP
BEA Weblogic 7001 cmdb_ci_app_server TCP
dns Domain Name Service 53 To resolve the name of each IP Address TCP/UDP
epmap Microsoft RPC (WMI, DCOM) 135 Windows Systems TCP
ftp 21 TCP
hp-pdl-datastr Printer PDL Data Stream 9100 HP Printers TCP
http HyperText Transfer Protocol 80 Web Servers cmdb_ci_web_server TCP
https HyperText Transfer Protocol over Secure Socket 443 Secure Web Servers cmdb_ci_web_server TCP
IBM DB2 50000 TCP
IBM MQSeries 1414 TCP
IBM Websphere 9080 TCP
IBM Web sphere SSL 9443 TCP
IMAPS 993 TCP
pip (Internet Print Protocol) IP Phone/ Session Initiation Protocol 5060 TCP
LDAP 389 TCP
LDAPs 636 TCP
Microsoft netbios 139 TCP
Microsoft-ds 445 TCP
ms-nb-ns 137 UDP
Microsoft SQL server 1433 TCP
MySQL 3306 TCP
Nagios NRPE 5666 TCP
nfs 2049 TCP/UDP
Oracle TNS 1521 TCP
POP3 110 TCP
postgresql 5432 cmdb_ci_database TCP
printer Printer 515 Printers TCP
sip SIP (Session Initiation Protocol) 5060 TCP
slp Service Location Protocol (SLP) 427 TCP/UDP
smtp TCP 25
smux (SNMP multiplexing) 199
snmp Simple Network Management Protocol 161 Network Devices UDP
snmptrap 162 UDP
ssh Secure Shell Service 22 Unix Systems TCP
sunrpc 111 TCP
telnet 23 TCP
TIBCO Rendezvous 7500 TCP
Tomcat HTTP 8080 TCP
vmapp6_https 9443 TCP
vmapp_https vCenter Server Appliance Web Interface using https 5480 TCP
wbem_https CIM-XML via HTTPS(WBEM) 5989 CIM Classification TCP
wins Windows Internet Name Service 137 NetBIOS Name Resolver UDP

Windows and dynamic ports

Windows machines can have dynamic ports in the following ranges:
  • Windows Server 2003: 1024-5000 for both TCP and UDP.
  • Windows Server 2008 and Vista: 49152-65535 for both TCP and UDP.