Port probes

Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.

When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, and SNMP in the base system have priority numbers that control the order in which they are launched.

In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (e.g. SSH and SNMP).

Port Probe Form

To access the Port Probe form, navigate to Discovery Definition > Port Probes.
The Port Probe form provides the following fields:
Table 1. Port Probes
Field Input Value
Name Simple name for the port probe that reflects its function (e.g. snmp).
Description Definition of the acronym for the protocol. (e.g. ssh is Secure Shell Login).
Scanner Shazzam techniques for exploring a port. Some of these are protocol specific, and others are generic. For example, a WMI port probe will use a Scanner value of Generic TCP, and the snmp port probe uses a value of SNMP.
Active Indicates whether this port probe is enabled or disabled.
CIs Indicates whether this port probe is enabled or disabled for discovering "Configuration Items".
IPs Indicates whether this port probe is enabled or disabled for discovering "IP addresses".
Triggered by services Indicates which services define the port usage. Use this setting to define non-standard port usage and pair the port number with the protocol.
Triggers probe Indicates which probe is triggered by the results of this port probe. This is the name of the appropriate classify probe.
Use classification Names the appropriate classification table, based on the protocol being explored.
Classification priority Establishes the priority in which this port probe runs. If the first port probe fails, then the next probe runs on the device, and so forth, until the correct data is returned. This allows for the proper classification of a device that has two running protocols, such as SSH and SNMP. The default priorities for the Discovery protocols are:
  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP
Supplementary Launches supplementary classifications after a higher-priority identification succeeds, once again in order of priority.
Conditional Runs this port probe if any one of the non-conditional probes return an open port. The conditional port probes in the out-of-box system attempt to resolve the names of Windows devices and DNS names. These ports probes take additional resources and are not used unless activity is detected on open ports.