Anatomy of a Discovery...

What actually happens when a Discovery kicks off? In this post, I'll follow the process step-by-step for a Windows workstation (or laptop). The process is very similar for other kinds of computers or devices, so following this one example through will help you understand how it works for all of them. Our scenario is this: we've got a brand new Windows workstation, just plugged into the network for the very first time — and when Discovery runs this evening, it's going to find and explore our new workstation. The new workstation's IP address is 10.53.21.154.

It all starts with Discovery asking "What's out there?", by launching a Ping probe to test a range of IP addresses (see Discovery Definition -> Probes). This probe tries to "ping" every valid IP address in the range, exactly as you might do manually. In our scenario, the ping probe is scanning the network 10.53.21.0/24, so it will try every IP address from 10.53.21.1 to 10.53.21.254 (every address in the network except for the network address and the broadcast address). Our new workstation is in that range, so it will respond to the ping.

The Ping sensor (see Discovery Definition -> Sensors) processes the results of the ping probe, and when it sees that our workstation responded to the ping, it will launch a pair of probes: the Resolver probe and the PortScanner probe. Something to keep in mind: at this point, Discovery has no idea what kind of device our workstation is. All it knows is that an IP address responded to a ping. So the ping sensor will create a CMDB item for our workstation, but for now it will classify it as an IP Device.

The resolver probe attempts to find the DNS name for the IP address 10.53.21.154. If it succeeds, it will set that name in the CMDB item.

The port scanner probe checks to see if the device at 10.53.21.154 is listening on any five ports: 25 (for SSH), 139 or 445 (for Windows), 80 (for web), or 161 (for SNMP). When the PortScanner sensor sees that our workstation is listening on 139 and 445, it looks in the port probes table (Discovery Definition -> Port Probes) to see that it should launch a Windows - System Information probe, and use the Windows classifiers (Discovery Definition -> Windows). The Windows system information probe gathers basic information (using WMI) about the computer and the operating system.

The Windows - System Information sensor reclassifies the CMDB item from an IP Device to a Windows computer or server (which one depends on which operating system it has, as controlled by the Windows classifiers). It then stuffs all the information sent back by the probe into the fields of the CMDB item — so if you were to look at the CMDB record right at this point, you'd see something that was recognizably a Windows computer, but details would be missing. To get the rest of those details, the Windows system information sensor launches several more probes, as configured in the Windows classifier: the Windows - Disks, Windows - Installed Software, Windows - Printers, and Windows - Active Processes probes. These probes gather even more information, just as their names suggest. Their matching sensors stuff the information gathered into the right places in the CMDB record for our new workstation — and when they've finished, the workstation's record is complete.

That's the whole process, for the relatively simple case of a workstation. For servers the process may involve more steps, as probes may be launched to discover more details about certain software running on the server (VMWare, Oracle, JBoss, etc.). But the basic process described above is the same for all devices — it always starts with a ping, and what happens after that depends on what the ping (and subsequent probes) discover. You can visualize the process as a tree diagram, with a series of probe/sensor pairs, where each sensor may "branch" the tree as it launches one or more probes. There are an infinite variety of these trees, one for every possible combination of device type and software running on it — but they all work the same way...