Port probes

Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.

When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, and SNMP in the base system have priority numbers that control the order in which they are launched.

In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (e.g. SSH and SNMP).

Port Probe Form

To access the Port Probe form, navigate to Discovery Definition > Port Probes.
The Port Probe form provides the following fields:
Table 1. Port Probes
Field Input Value
Name Simple name for the port probe that reflects its function (e.g. snmp).
Description Definition of the acronym for the protocol. (e.g. ssh is Secure Shell Login).
Scanner Shazzam techniques for exploring a port. Some of these are protocol specific, and others are generic. For example, a WMI port probe will use a Scanner value of Generic TCP, and the snmp port probe uses a value of SNMP.
Active Indicates whether this port probe is enabled or disabled.
CIs Indicates whether this port probe is enabled or disabled for discovering "Configuration Items".
IPs Indicates whether this port probe is enabled or disabled for discovering "IP addresses".
Triggered by services Indicates which services define the port usage. Use this setting to define non-standard port usage and pair the port number with the protocol.
Triggers probe Indicates which probe is triggered by the results of this port probe. This is the name of the appropriate classify probe.
Use classification Names the appropriate classification table, based on the protocol being explored.
Classification priority Establishes the priority in which this port probe runs. If the first port probe fails, then the next probe runs on the device, and so forth, until the correct data is returned. This allows for the proper classification of a device that has two running protocols, such as SSH and SNMP. The default priorities for the Discovery protocols are:
  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP
Supplementary Launches supplementary classifications after a higher-priority identification succeeds, once again in order of priority.
Conditional Runs this port probe if any one of the non-conditional probes return an open port. The conditional port probes in the out-of-box system attempt to resolve the names of Windows devices and DNS names. These ports probes take additional resources and are not used unless activity is detected on open ports.
Script Script to run.

Selective port probe scanning

The order in which Port Probes are run is now prioritized by protocol. Prioritization enables the proper classification of devices that have two protocols running, such as SSH and SNMP, without having to create a complex Discovery Behavior. Previously (in Basic discoveries), Discovery launched all port probes at once and attempted to classify devices based on the activity returned for any protocol. The common protocols WMI, SSH, and SNMP in the out-of-box system now are assigned configurable priority numbers that control the order in which they are launched. The WMI probe is launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched. The SNMP probe is the last to launch, after the other port probes have failed.

The field called Classification priority was added to the Port Probe form. The out-of-box system prioritizes the use of port probes as follows:

  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP

The WMI port probe runs first and then the WinRM probe. If WMI or WinRM activity is detected on a device, the Windows - Classify probe is launched (and no other port probes). If no WMI or WinRM activity is detected, Shazzam runs the SSH probe. If Shazzam successfully detects SSH activity, the UNIX classifier is launched. The SNMP port probe is launched only if no WMI or SSH activity is detected on a device. This ensures that the correct classifier probe is launched and the correct device data is returned.

Shazzam probe ports and protocols

Port scanning is the first step in the Discovery process. The Shazzam probe performs port scanning, regardless of whether you use patterns for horizontal discovery. The following table lists the known ports and protocols used by Discovery.

Table 2. Discovery ports and protocols
Name Service name Port Details Creates Protocol
afp Apple File Protocol 548 TCP
BEA Weblogic 7001 cmdb_ci_app_server TCP
dns Domain Name Service 53 To resolve the name of each IP Address TCP/UDP
epmap Microsoft RPC (WMI, DCOM) 135 Windows Systems TCP
ftp 21 TCP
hp-pdl-datastr Printer PDL Data Stream 9100 HP Printers TCP
http HyperText Transfer Protocol 80 Web Servers cmdb_ci_web_server TCP
https HyperText Transfer Protocol over Secure Socket 443 Secure Web Servers cmdb_ci_web_server TCP
IBM DB2 50000 TCP
IBM MQSeries 1414 TCP
IBM Websphere 9080 TCP
IBM Web sphere SSL 9443 TCP
IMAPS 993 TCP
pip (Internet Print Protocol) IP Phone/ Session Initiation Protocol 5060 TCP
LDAP 389 TCP
LDAPs 636 TCP
Microsoft netbios 139 TCP
Microsoft-ds 445 TCP
ms-nb-ns 137 UDP
Microsoft SQL server 1433 TCP
MySQL 3306 TCP
Nagios NRPE 5666 TCP
nfs 2049 TCP/UDP
Oracle TNS 1521 TCP
POP3 110 TCP
postgresql 5432 cmdb_ci_database TCP
printer Printer 515 Printers TCP
sip SIP (Session Initiation Protocol) 5060 TCP
slp Service Location Protocol (SLP) 427 TCP/UDP
smtp TCP 25
smux (SNMP multiplexing) 199
snmp Simple Network Management Protocol 161 Network Devices UDP
snmptrap 162 UDP
ssh Secure Shell Service 22 Unix Systems TCP
sunrpc 111 TCP
telnet 23 TCP
TIBCO Rendezvous 7500 TCP
Tomcat HTTP 8080 TCP
vmapp6_https 9443 TCP
vmapp_https vCenter Server Appliance Web Interface using https 5480 TCP
wbem_https CIM-XML via HTTPS(WBEM) 5989 CIM Classification TCP
wins Windows Internet Name Service 137 NetBIOS Name Resolver UDP

Windows and dynamic ports

Windows machines can have dynamic ports in the following ranges:
  • Windows Server 2003: 024-5000 for both TCP and UDP.
  • Windows Server 2008 and Vista: 49152-65535 for both TCP and UDP.

Configure Shazzam probe parameters

When you run Discovery, the Shazzam probe finds your active network devices by scanning specified ports on specified IP address ranges.

Before you begin

Role required: admin

About this task

You control the behavior of individual Shazzam probes using basic and advanced parameters.

For instructions on configuring probe parameters, see Set probe parameters.

Procedure

  1. Navigate to Discovery Definition > Probes.
  2. Select Shazzam.
  3. Add or edit parameters in the Probe Parameters related list.
  4. Configure the basic Shazzam parameter.
    These parameters are defined in the config.xml file on the MID Server, but you can edit the values in the Shazzam probe record as well. Changes to specific parameters that could disconnect you from the MID Server are prohibited in the probe record and can only be made in the configuration file.
    Table 3. Basic Shazzam parameters
    Parameter Description
    shazzam_chunk_size Maximum number of IP addresses Shazzam will scan in parallel. This parameter primarily controls outbound port consumption.

    Default: 100

    regulator_max_packets Sets the number of packets that Shazzam can launch in the time interval specified by the regulator_period_ms parameter.

    Default: 1

    regulator_period_ms Sets the interval, in milliseconds, in which Shazzam can launch packets.

    Default: 1

  5. Configure the advanced Shazzam parameters.
    These parameters are available for fine tuning the Shazzam probe. These values are defined in the probe record only.
    Table 4. Shazzam advanced parameters
    Parameter Description
    report_inactive When true, reports device that are alive but inactive. For example, a device has no ports open but refuses at least one port connection request.

    Default: true

    shazzam_report_dead When true, reports devices with dead IP addresses. For example, a device that has all ports closed.

    Default: false

    GenericTCP_waitForConnectMS Sets the number of milliseconds the GenericTCP scanner waits for a connection.

    Default: 1000

    BannerTCP_waitForConnectMS Sets the number of milliseconds the BannerTCP scanner waits for a connection and banner.

    Default: 1500

    HTTP_waitForConnectMS Sets the number of milliseconds the HTTP scanner waits for a connection.

    Default: 500

    HTTP_waitForResponseMS Sets the number of milliseconds the HTTP scanner waits for a response.

    Default: 500

    NBT_waitForResponseMS Sets the number of milliseconds the NBT scanner waits for a response.

    Default: 500

    NBT_alternativePort Defines an alternative port number for the NBT scanner.

    Default: N/A

    SNMP_taps Sets the number of taps (requests) the SNMP scanner attempts.

    Default: 2

    SNMP_tapIntervalMS Sets the number of milliseconds the SNMP scanner waits between taps.

    Default: 1000

    SNMP_waitForResponseMS Sets the number of milliseconds the SNMP scanner waits for a response after the last tap.

    Default: 1000

    SNMP_alternativePort Defines the alternative port number for the SNMP scanner.

    Default: N/A

    DNS_waitForResponseMS Sets the number of milliseconds the DNS scanner waits for a response.

    Default: 1000

    DNS_alternativePort Sets an alternative port number for the DNS scanner.

    Default: N/A

    debug Enables debug logging if set to true.

    Default: false

    scanner_log Enables scanner logging if set to true. This logging information appears in the Shazzam probe response.

    Default: false