Active: Host Discovery

Host Discovery actively indexes devices attached to your network via ICMP, TCP, UDP, DNS, and SNMP and provides an authoritative census of devices that are currently connected to you network. 

Host Discovery uses the following ports:

  • ICMP: (no port)
  • SNMP: UDP 161
  • DNS: UDP 53
  • UDP High Port: UDP 33221
  • TCP: User-specified ports

When performing a host census, Asset Manager sends packets in a randomized manner that covers the entire Zone Networks Known address space. This non-sequential, "fan-out" approach minimizes the packet traffic on any single subnet and decreases the likelihood of triggering intrusion detection systems.

The resulting host census becomes the Zone Networks Eligible for all subsequent indexing cycles (e.g., Leak Path, Device Profiling), which also follow this fan-out algorithm.

The Host Discovery envoy collects a high-level system description and returns protocol details on each device found–essentially the IP and/or MAC address and a record of which protocols were used to discover it. 

To configure Host Discovery, select or clear the checkboxes. Also indicate your zone of interest and the discovery space in which the Host collector is to operate.

Finally, you'll need to indicate the ports on which to run the discovery.  It may be practical to use the TCP and UDP ports if your network uses them.  Otherwise you can input the TCP and UDP ports used in your environment.  If you set non-routable address space as your zone, then the discovery will take place there (e.g., 10.8).  Or you may want to run discovery on private address space (i.e., 10.0 to 10.255) to monitor when hosts come onto your network.  If a private space is a test network, for example, you will probably want to exclude that from your scope of your discovery. 

If Host Discovery is enabled, the discovery engine will ping-sweep your defined collection area.  If you have ICMP enabled, Asset Manager sends out pings to all in an area.  If a port rejects Asset Manager's TCP request, then Asset Manager knows that port exists. (When a port doesn’t exist, there's no response).  

Asset Manager attempts to get responses from potential target devices using the list of protocols below. Asset Manager records all successful responses with the IP, Protocol, and Port combination.

  • UDP
  • TCP
  • ICMP
  • DNS
  • SNMP 
  • TCP Syn/Ack Responses to PD/HD requests will result in a TCP RST being sent

Pings hosts using ICMP, UDP, and/or TCP

Target Rules

  • All IPv4 SNMP/OSPF routes with a mask >= 22 in the unroutable address space when the targetInternalRoutes setting are enabled
  • All targets configured in the collector configuration with a mask >= 22 in the unroutable address space when the targetInternalRoutes setting is enabled

  • All IPv4/IPv6 devices found via Broadcast, OSPF, and Path are targeted

  • Configuring Host Discovery

To enable Host Discovery:

  1. Go to Admin > Zones.
  2. Select the zone and collector on which you want to add Host Discovery.

  3. Click the Host tab.
    Host discovery is initially disabled; defaults settings are visible.

  4. Edit the form as necessary, and then click Update.

    Only Target Discovered Routes if your rescan interval is low because this option has the capacity to generate a HUGE system-generated target set (not to be confused with Target list.)

    Use Custom TCP Ports runs to run the query over ports you specify rather than common ports.

    Select Enable Host Discovery checkbox when you are ready to have Host Discovery begin indexing.

Discovery of active IP addresses initiates with these settings.