As Discovery explores each computer system, it collects a list of every process running on that computer, along with any TCP connections and listening sockets owned by that process. In plain English, for each process Discovery is collecting information about what other services that process is using, and what services that process provides.
For example, let's take that hypothetical accounting application, running on the computer at IP address 10.23.76.2. When Discovery explores the computer it's running on, it's going to find something like this:
Accounting LISTENS to TCP port 4555
Accounting CONNECTS from TCP port 10564 to IP 10.4.14.67 TCP port 3306
Accounting CONNECTS from TCP port 4555 to IP 10.56.23.87 TCP port 65232
Accounting CONNECTS from TCP port 10564 to IP 10.4.14.67 TCP port 3306
Accounting CONNECTS from TCP port 4555 to IP 10.56.23.87 TCP port 65232
The first line tells Discovery that the accounting process listens to TCP port 4555, and from that Discovery can infer that the accounting process is providing a service to other systems, on port 4555. The second line tells Discovery that the accounting process is connecting to the computer at 10.4.14.67, using a port (10564 in our example) other than a port the accounting process is listening on. From this, Discovery can infer that the accounting process is using a service on 10.4.14.67, and that service must be listening to TCP port 3306 (since that's the port it connected to). The third line tells Discovery that the computer at 10.56.23.87 connected to the service provided by the accounting process (because it's on TCP port 4555, the one the accounting process is listening on). From that, Discovery can infer that the computer at 10.56.23.87 is using the service provided by the accounting process.
That may sound like a lot of information, but it's actually incomplete — because at this point Discovery doesn't know what process on the other system is using, or being used by, the accounting process. But when Discovery explores those other computers, it will get information much like the above, and then it can start making those relationships. For instance, when Discovery explores the computer at 10.4.14.67, it might find something like this:
SQL LISTENS to TCP port 3306
SQL CONNECTS from TCP port 3306 to IP 10.23.76.2 TCP port 32543
SQL CONNECTS from TCP port 3306 to IP 10.23.74.56 TCP port 32543
SQL CONNECTS from TCP port 3306 to IP 10.23.76.2 TCP port 32543
SQL CONNECTS from TCP port 3306 to IP 10.23.74.56 TCP port 32543
The first line tells Discovery that the SQL process is listening on TCP port 3306. That's the last piece of information that Discovery needs to infer that the accounting process (on 10.23.76.2) is using the SQL process on 10.4.14.67 — so now Discovery (and does!) can automatically create the relationship between the two of them in the CMDB. Note that Discovery doesn't actually have to see the connection to 10.23.76.2 to be able to create the relationship — it's enough to know the SQL is listening on the port (3306) that we saw the accounting process connecting to.
Similarly, when Discovery explores the computer at 10.56.23.87, it should find the information that will let it which process on that computer is using the service provided by the accounting process.
And by now, aren't you sorry you asked? Here's some geek humor to make up for this mental torture...
