TCP connection discovery

Release version: Xanadu

Updated August 1, 2024

4 minutes to read

Summarize

Summarized using AI

Summary of TCP connection discovery

TCP connection discovery in ServiceNow identifies and classifies TCP connections on devices using Application Dependency Mapping (ADM) and enhanced ADM (ADME) probes. It collects detailed information about processes and their TCP connections, populating this data into thecmdbtcpandcmdbrunningprocesstables. This discovery capability is essential for understanding application dependencies and network traffic on your infrastructure.

Show full answer Show less

Key Data Collected

cmdbtcp table: Captures TCP connection details including device, IP address, port number, process ID (PID), process name, connection type (listening or connected), and an absent flag indicating if a process has stopped running.
cmdbrunningprocess table: Records running process details such as process name, associated device, parent process, listening and connected ports, command and parameters, PID, PPID, as well as classification and absence status.

Discovery Probes and Their Use

ServiceNow uses various standard ADM probes tailored for different operating systems to gather active process and connection data necessary for application dependency mapping:

AIX, HP-UX, Solaris, UNIX, and Windows ADM probes: Collect active processes and TCP connections specific to each platform.
UNIX ADM netstat probe: Supports continuous TCP-based discovery by retrieving TCP connections and processes for ongoing monitoring, used by Service Mapping.

These standard probes work with commands like lsof and netstat (where applicable) and may require enabling certain sub-probes or features depending on the OS.

Enhanced ADM Probes

When enhanced ADM is activated, additional probes provide continuous TCP discovery with extra configuration options:

Windows ADM Enhanced probe: Supports WinRM and non-WinRM MID Servers, configurable via the mid.windows.managementprotocol MID Server parameter.
UNIX ADM Enhanced probe: Offers similar enhanced capabilities for UNIX systems.

Key parameters for controlling probe behavior include:

mid.adme.maxresultsize: Controls the size of the TCP tracking file.
max.admeresultpayloadsize: Controls the maximum payload size of discovery results; must be aligned with the MID Server’s maximum payload size to avoid configuration errors.

Practical Benefits

By leveraging TCP connection discovery, ServiceNow customers gain comprehensive visibility into active processes and their TCP connections across diverse operating systems. This enables accurate application dependency mapping, improved service impact analysis, and supports continuous monitoring for dynamic environments. Proper configuration of probes and MID Server parameters ensures efficient and reliable discovery results.

Discovery identifies and classifies information about TCP connections using the ADM and ADME probes.

Discovery populates this data in the TCP Connections [cmdb_tcp] table.


Label	Table Name	Field Name	Description
Absent	cmdb_tcp	absent	If the process is no longer running on this device. The first time the process is detected, the value is not selected (meaning that it is not absent). If Discovery runs again and does not detect the process, it is selected.
Computer	cmdb_tcp	computer	The device that is connected to or is listening on the TCP port.
IP	cmdb_tcp	ip	The IP address that this device or process is listening on or is connected to. If the IP address is 127.0.0.1, it is the host computer itself.
PID	cmdb_tcp	pid	The ID of the process that is connecting to or listening on this device (IP address).
Port	cmdb_tcp	port	The port number through which TCP traffic was detected.
Process	cmdb_tcp	process	The process that is connecting to or listening on the port.
Type	cmdb_tcp	type	Listening on: the process is listening to the device via TCP. Connecting to: if the process is connected to this device via TCP.
count	cmdb_tcp	count	The number of times that Discovery detects a specific TCP connection. This field is used by ADM enhanced probes.

Discovery populates this data in the Running Process [cmdb_running_process] table.


Label	Field Name	Description
Name	name	The name of the running process.
Computer	computer	The device that the process is running on.
Parent	parent	The parent process of this process, if any.
Listening on	listening_on	The ports that the processes is listening on.
Connected to	connected_to	The ports that the processes is connected to.
Command	command	The command for this process, including the path.
PID	pid	The ID for the process.
PPID	ppid	The ID for the parent process.
Absent	absent	If the process is no longer running on this device. The first time the process is detected, the value is not selected (meaning that it is not absent). If Discovery runs again and does not detect the process, it is selected.
Classify	classify	If the running process should be classified.
Key parameters	key_parameters	The key parameters for the command.
Parameters	parameters	The parameters for the command.
Count	count	The number of times that Discovery detects a specific TCP connection. This field is used by ADM enhanced probes.

Standard ADM probes

Discovery launches these probes with standard ADM discovery:


Name	Description	Includes these sub-probes
AIX - ADM	Queries for information about active (running) AIX processes and active connections - the information required to perform application dependency mapping.	AIX - Active Connections AIX - Active Processes
HP-UX - ADM	Queries for information about active (running) HP-UX processes and active connections - the information required to perform application dependency mapping. This probe requires that lsof be installed and the UNIX - Active Connections probe be activated, which is inactive by default.	UNIX - Active Connections HP-UX - Active Processes
Solaris - ADM	Queries for information about active (running) Solaris processes and active connections - the information required to perform application dependency mapping. This probe is triggered by the Solaris Zones probe. The system triggers an ADM probe for each local zone contained in a global zone. This probe requires that lsof be installed on the global zone.	Solaris - Active Processes Solaris - Active Connections
UNIX - ADM	Queries for information about active (running) UNIX processes and active connections - the information required to perform application dependency mapping.	UNIX - Active Connections UNIX - Active Processes
Windows - ADM	Queries for information about active (running) Windows processes and active connections - the information required to perform application dependency mapping.	Windows - Active Connections Windows - Active Processes
UNIX - ADM netstat	Performs the same functions as the UNIX ADM probe relying on netstat to support continuous TCP-based discovery. Service Mapping uses this probe for traffic-based discovery.	UNIX - Active Connections with Netstat. This probe retrieves TCP connections to populate the cmdb_tcp and cmdb_tcp_connection tables. UNIX - Active Processes. This probe retrieves TCP processes and populates the cmdb_running_process table.

Enhanced ADM probes

Discovery launches these probes when enhanced ADM is activated:


Probe	Description
Windows - ADM Enhanced	Performs the same functions as the Windows ADM probe with additional parameters to control continuous TCP-based discovery. This probe is compatible with WinRM and non-WinRM supported MID Servers. Configure your MID Server using the `mid.windows.management_protocol` parameter. See MID Server parameters for the values you can use for this parameter.
UNIX - ADM Enhanced	Performs the same functions as the UNIX ADM probe with additional parameters to control continuous TCP-based discovery.

Use these probe parameters with the enhanced ADM probes:


Parameter	Description
mid.adme.max_result_size	Control the size of the TCP tracking file.
max.adme_result_payload_size	Controls the size of the result, including the payload. Note: If this is greater than the MID Server properties mid.discovery.max_payload_size, a configuration error can occur.