TCP connection discovery
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of TCP connection discovery
TCP connection discovery in ServiceNow identifies and classifies TCP connections on devices using ADM and ADME probes. It collects detailed information about TCP connections, running processes, and their relationships, storing this data in thecmdbtcpandcmdbrunningprocesstables. This information supports Application Dependency Mapping (ADM) and helps maintain accurate, up-to-date network and process visibility.
Show less
Key Features
- TCP Connections [cmdbtcp] table: Contains details about TCP connections such as the device, IP address, process ID (PID), port number, process name, connection type (listening or connecting), and a count of connection detections. The absent field marks processes no longer detected.
- Running Process [cmdbrunningprocess] table: Records running processes including process name, parent process, listening and connected ports, command line, PID, parent PID, classification status, and detection count. The absent field flags processes no longer running.
- Standard ADM probes: These probes gather information about active processes and TCP connections on various platforms (AIX, HP-UX, Solaris, UNIX, Windows) necessary for dependency mapping. Some probes require additional tools like lsof or activation of sub-probes.
- Enhanced ADM probes: Activated with enhanced ADM, these probes provide continuous TCP-based discovery with additional parameters for controlling data payload size and tracking files. They support both WinRM and non-WinRM MID Servers. Key configuration parameters include mid.adme.maxresultsize and max.admeresultpayloadsize, which regulate data size limits to avoid configuration errors.
Practical Implications for ServiceNow Customers
- By using TCP connection discovery, customers gain comprehensive visibility into TCP processes and connections on their infrastructure, which is critical for accurate Application Dependency Mapping.
- The cmdbtcp and cmdbrunningprocess tables provide structured data to analyze network traffic and running processes, aiding in troubleshooting, impact analysis, and compliance.
- Enhanced ADM probes enable continuous and detailed discovery, improving the accuracy and freshness of dependency data, especially in dynamic environments.
- Proper configuration of MID Server parameters ensures efficient and error-free data collection, particularly when using enhanced probes.
Discovery identifies and classifies information about TCP connections using the ADM and ADME probes.
Discovery populates this data in the TCP Connections [cmdb_tcp] table.
| Label | Table Name | Field Name | Description |
|---|---|---|---|
| Absent | cmdb_tcp | absent | If the process is no longer running on this device. The first time the process is detected, the value is not selected (meaning that it is not absent). If Discovery runs again and does not detect the process, it is selected. |
| Computer | cmdb_tcp | computer | The device that is connected to or is listening on the TCP port. |
| IP | cmdb_tcp | ip | The IP address that this device or process is listening on or is connected to. If the IP address is 127.0.0.1, it is the host computer itself. |
| PID | cmdb_tcp | pid | The ID of the process that is connecting to or listening on this device (IP address). |
| Port | cmdb_tcp | port | The port number through which TCP traffic was detected. |
| Process | cmdb_tcp | process | The process that is connecting to or listening on the port. |
| Type | cmdb_tcp | type |
|
| count | cmdb_tcp | count | The number of times that Discovery detects a specific TCP connection. This field is used by ADM enhanced probes. |
Discovery populates this data in the Running Process [cmdb_running_process] table.
| Label | Field Name | Description |
|---|---|---|
| Name | name | The name of the running process. |
| Computer | computer | The device that the process is running on. |
| Parent | parent | The parent process of this process, if any. |
| Listening on | listening_on | The ports that the processes is listening on. |
| Connected to | connected_to | The ports that the processes is connected to. |
| Command | command | The command for this process, including the path. |
| PID | pid | The ID for the process. |
| PPID | ppid | The ID for the parent process. |
| Absent | absent | If the process is no longer running on this device. The first time the process is detected, the value is not selected (meaning that it is not absent). If Discovery runs again and does not detect the process, it is selected. |
| Classify | classify | If the running process should be classified. |
| Key parameters | key_parameters | The key parameters for the command. |
| Parameters | parameters | The parameters for the command. |
| Count | count | The number of times that Discovery detects a specific TCP connection. This field is used by ADM enhanced probes. |
Standard ADM probes
Discovery launches these probes with standard ADM discovery:
| Name | Description | Includes these sub-probes |
|---|---|---|
| AIX - ADM | Queries for information about active (running) AIX processes and active connections - the information required to perform application dependency mapping. |
|
| HP-UX - ADM | Queries for information about active (running) HP-UX processes and active connections - the information required to perform application dependency mapping. This probe requires that lsof be installed and the UNIX - Active Connections probe be activated, which is inactive by default. |
|
| Solaris - ADM | Queries for information about active (running) Solaris processes and active
connections - the information required to perform application dependency mapping.
This probe is triggered by the Solaris Zones probe. The system triggers an ADM
probe for each local zone contained in a global zone. This probe requires that lsof be installed on the global zone. |
|
| UNIX - ADM | Queries for information about active (running) UNIX processes and active connections - the information required to perform application dependency mapping. |
|
| Windows - ADM | Queries for information about active (running) Windows processes and active connections - the information required to perform application dependency mapping. |
|
| UNIX - ADM netstat | Performs the same functions as the UNIX ADM probe relying on netstat to support continuous TCP-based discovery. Service Mapping uses this probe for traffic-based discovery. |
|
Enhanced ADM probes
Discovery launches these probes when enhanced ADM is activated:
| Probe | Description |
|---|---|
| Windows - ADM Enhanced | Performs the same functions as the Windows ADM probe with
additional parameters to control continuous TCP-based discovery. This probe is
compatible with WinRM and non-WinRM supported MID Servers. Configure your MID
Server using the mid.windows.management_protocol parameter. See
MID Server parameters for the
values you can use for this parameter. |
| UNIX - ADM Enhanced | Performs the same functions as the UNIX ADM probe with additional parameters to control continuous TCP-based discovery. |
Use these probe parameters with the enhanced ADM probes:
| Parameter | Description |
|---|---|
| mid.adme.max_result_size | Control the size of the TCP tracking file. |
| max.adme_result_payload_size | Controls the size of the result, including the payload. Note: If this is
greater than the MID Server properties mid.discovery.max_payload_size, a configuration
error can occur. |