Nmap Autodiscovery

Nmap Autodiscovery

Nmap (network mapper) is a tool primarily used for security scanning. However, it can be used to “guess” which services are running on which ports. Device42 uses Nmap to discover which services are running on which ports and automatically combines this data with the NetFlow data to automatically create a map of services and application dependencies.

Add an Nmap Autodiscovery Job

Navigate to the Discovery > Nmap list page and click Create to add a new Nmap autodiscovery job. 

Enter the following required fields for the Nmap job:

• Name: A unique name for the job.
• Remote Collector: The name of the Remote Collector to use. A Local Collector cannot be used.
• Target Host(s) and Network(s): A comma-separated list of IP addresses, IP ranges, CIDR block(s), or hostname(s) to use for Nmap discovery.

You can optionally configure these Nmap job options:

• Exclude Target Host(s) and Network(s): A comma-separated list of IP addresses, IP ranges, CIDR block(s), or hostname(s) to exclude for Nmap discovery.
• Nameserver to use for reverse DNS: The IP address or FQDN of the nameserver.
• OS Detection: On by default. Detect operating systems and versions.
• Service and Version Detection: On by default. Detect running services.
• Object Category for discovered devices: Select an existing object category or add a new category.
• VRF Group for discovered IP addresses and subnets: Select an existing VRF group or add a new group.
• Overwrite existing object categories: Overwrite the object categories for existing discovered devices and child devices.
• Tags for discovered devices: Add a comma-separated list of device tags.

Run Now or Schedule

Select Add another Auto Discovery Schedule when creating or editing the job to add a schedule for the job.

To prevent an unintentionally large number of jobs from running initially, newly created jobs will not run on the first day they are created. If you would like to run a job after its initial creation, click the Run Now button on the job summary page that is displayed after you save a new job.

The Run Now button is also available on the list page (Discovery > Nmap).

Nmap and NetFlow Autodiscovery Notes

In Device42, NetFlow and Nmap can be used by themselves, together, or in combination with point-in-time discovery. Using NetFlow and Nmap data together but without point-in-time discovery results in a good services dependency mapping capability. However, just using these two sources of data is still limited in the following ways:

1. A map of service inter-dependencies and interrelationships can be created. However, many services often combine applications and associated information to form the entire application. For example, there might be multiple Oracle services plus configuration files that together form the Oracle application. Installed apps on a web server, and instances and named pipes on a database, cannot be discovered by the NetFlow/Nmap combination.
2. The services that Nmap finds are guesses, and the guessed version number is probably wrong as often as it is right.
3. Some enterprises have such restrictive firewall rules that Nmap will discover few, if any, services.
4. NetFlow can’t “see” application interactions inside a physical, virtual, or cloud server. NetFlow can only see interactions that go through the router. So, many dependencies will be missed.
5. While NetFlow works well for physical routers and switches, it's not great for the virtual routers and switches found in hypervisors because many hypervisors do not support NetFlow.
6. On routers and switches, NetFlow must be set up for every segment. If some segments are not set up, the application interactions will not be found.

To overcome these limitations, it is better to use NetFlow and Nmap in conjunction with point-in-time discovery.