Port probes Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters. When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, and SNMP in the base system have priority numbers that control the order in which they are launched. In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (e.g. SSH and SNMP). Port Probe Form To access the Port Probe form, navigate to Discovery Definition > Port Probes. The Port Probe form provides the following fields:Table 1. Port Probes Field Input Value Name Simple name for the port probe that reflects its function (e.g. snmp). Description Definition of the acronym for the protocol. (e.g. ssh is Secure Shell Login). Scanner Shazzam techniques for exploring a port. Some of these are protocol specific, and others are generic. For example, a WMI port probe will use a Scanner value of Generic TCP, and the snmp port probe uses a value of SNMP. Active Indicates whether this port probe is enabled or disabled. CIs Indicates whether this port probe is enabled or disabled for discovering "Configuration Items". IPs Indicates whether this port probe is enabled or disabled for discovering "IP addresses". Triggered by services Indicates which services define the port usage. Use this setting to define non-standard port usage and pair the port number with the protocol. Triggers probe Indicates which probe is triggered by the results of this port probe. This is the name of the appropriate classify probe. Use classification Names the appropriate classification table, based on the protocol being explored. Classification priority Establishes the priority in which this port probe runs. If the first port probe fails, then the next probe runs on the device, and so forth, until the correct data is returned. This allows for the proper classification of a device that has two running protocols, such as SSH and SNMP. The default priorities for the Discovery protocols are: 1 - WMI 2 - SSH 3 - SNMP Supplementary Launches supplementary classifications after a higher-priority identification succeeds, once again in order of priority. Conditional Runs this port probe if any one of the non-conditional probes return an open port. The conditional port probes in the out-of-box system attempt to resolve the names of Windows devices and DNS names. These ports probes take additional resources and are not used unless activity is detected on open ports. Script Script to run. Selective port probe scanning The order in which Port Probes are run is now prioritized by protocol. Prioritization enables the proper classification of devices that have two protocols running, such as SSH and SNMP, without having to create a complex Discovery Behavior. Previously (in Basic discoveries), Discovery launched all port probes at once and attempted to classify devices based on the activity returned for any protocol. The common protocols WMI, SSH, and SNMP in the out-of-box system now are assigned configurable priority numbers that control the order in which they are launched. The WMI probe is launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched. The SNMP probe is the last to launch, after the other port probes have failed. The field called Classification priority was added to the Port Probe form. The out-of-box system prioritizes the use of port probes as follows: 1 - WMI 2 - SSH 3 - SNMP The WMI port probe runs first and then the WinRM probe. If WMI or WinRM activity is detected on a device, the Windows - Classify probe is launched (and no other port probes). If no WMI or WinRM activity is detected, Shazzam runs the SSH probe. If Shazzam successfully detects SSH activity, the UNIX classifier is launched. The SNMP port probe is launched only if no WMI or SSH activity is detected on a device. This ensures that the correct classifier probe is launched and the correct device data is returned. Shazzam probe, port probes, and protocols Port scanning is the first step in the Discovery process. The Shazzam probe performs port scanning, regardless of whether you use patterns for horizontal discovery. The following table lists the known ports and protocols used by Discovery. Several port probes are available in the base system. Each port probe uses an IP Service, which is a record that tells Discovery which port to use for a specific protocol. Review this table before you block any ports with a firewall. Caution: Make sure that you do not block any ports that Discovery needs. Table 2. Default port probes and default IP services Default port probe name Deafult classification Default IP Service, protocol and port dns Process Classification [discovery_classy_proc] dns (port 53) http HTTP Classification [discovery_classy_http] http (port 80) and https (port 443) ip_phone SNMP Classification [discovery_classy_snmp] sip (port 5060) osx Scan Results Application Classifier [discovery_classy_scan_app] afp (port 548) printer Scan Results Application Classifier [discovery_classy_scan_app] hp-pdl-datastr (port 9100) and printer (port 515) slp Process Classification [discovery_classy_proc] slp (port 427) snmp SNMP Classification [discovery_classy_snmp] snmp (port 161) ssh UNIX Classification [discovery_classy_unix] ssh (port 22) vmapp Application Classification [discovery_classy_appl] vmapp_https (port 5,480) and vmapp6_https (port 9,443) wbem CIM Classification [discovery_classy_cim] wbem_https (port 5989) winrm Windows Classification [discovery_classy_windows] winrm (port 5,985) and winrm_ssl (port 5,986) wins Process Classification [discovery_classy_proc] ms-nb-ns (port 137) wmi Windows Classification [discovery_classy_windows] epmap (port 135) This table shows you other common ports and protocols that Discovery uses. Table 3. Discovery ports and protocols Name Service name Port Details Creates Protocol afp Apple File Protocol 548 TCP BEA Weblogic 7001 cmdb_ci_app_server TCP dns Domain Name Service 53 To resolve the name of each IP Address TCP/UDP epmap Microsoft RPC (WMI, DCOM) 135 Windows Systems TCP ftp 21 TCP hp-pdl-datastr Printer PDL Data Stream 9100 HP Printers TCP http HyperText Transfer Protocol 80 Web Servers cmdb_ci_web_server TCP https HyperText Transfer Protocol over Secure Socket 443 Secure Web Servers cmdb_ci_web_server TCP IBM DB2 50000 TCP IBM MQSeries 1414 TCP IBM Websphere 9080 TCP IBM Web sphere SSL 9443 TCP IMAPS 993 TCP pip (Internet Print Protocol) IP Phone/ Session Initiation Protocol 5060 TCP LDAP 389 TCP LDAPs 636 TCP Microsoft netbios 139 TCP Microsoft-ds 445 TCP ms-nb-ns 137 UDP Microsoft SQL server 1433 TCP MySQL 3306 TCP Nagios NRPE 5666 TCP nfs 2049 TCP/UDP Oracle TNS 1521 TCP POP3 110 TCP postgresql 5432 cmdb_ci_database TCP printer Printer 515 Printers TCP sip SIP (Session Initiation Protocol) 5060 TCP slp Service Location Protocol (SLP) 427 TCP/UDP smtp TCP 25 smux (SNMP multiplexing) 199 snmp Simple Network Management Protocol 161 Network Devices UDP snmptrap 162 UDP ssh Secure Shell Service 22 Unix Systems TCP sunrpc 111 TCP telnet 23 TCP TIBCO Rendezvous 7500 TCP Tomcat HTTP 8080 TCP vmapp6_https 9443 TCP vmapp_https vCenter Server Appliance Web Interface using https 5480 TCP wbem_https CIM-XML via HTTPS(WBEM) 5989 CIM Classification TCP wins Windows Internet Name Service 137 NetBIOS Name Resolver UDP Windows and dynamic ports Windows machines can have dynamic ports in the following ranges: Windows Server 2003: 1024-5000 for both TCP and UDP. Windows Server 2008 and Vista: 49152-65535 for both TCP and UDP.