Scans
On this page
Introduction
Whether you choose to connect SolarWinds Service Desk (SWSD) via SCCM, router, vCenter, or use another connection method, the list below contains a default list of all ports that can be scanned. You can customize the list to suit your organizational needs.
Default Ports Scanned via Nmap
General | Description |
---|---|
7 | Ping, Echo Protocol |
161 | SNMP |
162 | SNMP |
Servers/Service | |
20 | File Transfer Protocol (FTP) data transfer |
21 | File Transfer Protocol (FTP) control (command) |
26 | Port used by RSFTP - a simple FTP-like protocol. |
25 | Simple Mail Transfer Protocol (SMTP), used for email routing between mail servers |
37 | Time Protocol[25] |
53 | Domain Name System (DNS)[34][10] |
80 | Hypertext Transfer Protocol (HTTP)[10][46][47][48] |
106 | Allows passwords to be changed on POP servers |
110 | Post Office Protocol, version 3 (POP3)[10][60][61] |
119 | Network News Transfer Protocol (NNTP),[10] retrieval of newsgroup messages[65][66] |
389 | Lightweight Directory Access Protocol (LDAP)[10] |
465 | Authenticated SMTP[10] over TLS/SSL (SMTPS)[86] |
514 | Syslog,[10] used for system logging |
587 | email message submission[10][89] (SMTP) |
990 | FTPS Protocol (control), FTP over TLS/SSL |
995 | Post Office Protocol 3 over TLS/SSL (POP3S)[10] |
143-144 | Internet Message Access Protocol (IMAP),[10] management of electronic mail messages on a server[70] |
2049 | Network File System (NFS) |
2121 | FTP Proxy |
8008-8009 | Alternative port for HTTP. See also ports 80 and 8080. |
8080-8081 | Alternative port for HTTP. See also ports 80 and 8008. |
Host/Access | |
22 | Secure Shell (SSH),[10] secure logins, file transfers (scp, sftp) and port forwarding |
23 | Telnet protocol—unencrypted text communications[10][23] |
88 | Kerberos[10][51][52] authentication system |
111 | Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC) |
513 | rlogin |
Microsoft | |
135 | Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service,[67] used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM. |
137 | NetBIOS Name Service, used for name registration and resolution |
138 | NetBIOS Datagram Service |
139 | NetBIOS Session Service[68][69] |
445 | Microsoft-DS (Directory Services) SMB[10] file sharing |
1688 | Microsoft Key Management Service (KMS) for Windows Activation |
3020 | Common Internet File System (CIFS). See also port 445 for Server Message Block (SMB), a dialect of CIFS. |
5061 | Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT) |
555 | Web Services for Devices (WSDAPI) (only provided by Windows Vista, Windows 7 and Server 2008) |
Printers | |
515 | Line Printer Daemon (LPD),[10] print service |
631 | Common Unix Printing System (CUPS) administration console (extension to IPP) |
Routing & Network | |
179 | Border Gateway Protocol (BGP),[77] used to exchange routing and reachability information among autonomous systems (AS) on the internet |
465 | URL Rendezvous Directory for SSM (Cisco protocol)[importance?] |
520 | Routing Information Protocol (RIP) |
646 | Label Distribution Protocol (LDP), a routing protocol used in MPLS networks |
711 | Cisco Tag Distribution Protocol—being replaced by the MPLS Label Distribution Protocol |
830 | Netconf |
1293 | Internet Protocol Security (IPSec) |
1701 | Layer 2 Tunneling Protocol (L2TP) |
1707 | L2TP/IPsec, for establish an initial connection |
1723 | Point-to-Point Tunneling Protocol (PPTP)[10] |
VoIP & Media | |
554 | Real Time Streaming Protocol (RTSP)[10] |
1720 | H.323 call signaling |
1755 | Microsoft Media Services (MMS, ms-streaming) |
2000-2001 | Cisco Skinny |
2427 | Media Gateway Control Protocol (MGCP) media gateway |
5060 | Session Initiation Protocol (SIP) |
5061 | Session Initiation Protocol (SIP) over TLS |
7070 | Real Time Streaming Protocol (RTSP), used by QuickTime Streaming Server. TCP is used by default, UDP is used as an alternate. |
DB | |
1521 | Oracle SQL Net Listener |
1433 | Microsoft SQL Server database management system (MSSQL) server |
1434 | Microsoft SQL Server database management system (MSSQL) monitor |
2483 | Oracle database listening for insecure client connections to the listener, replaces port 1521 |
2484 | Oracle database listening for SSL client connections to the listener |
3306 | MySQL database system |
5432 | PostgreSQL database system |
8000 | DynamoDB Local |
Misc | |
9 | Discard Protocol[12] |
13 | Daytime Protocol[16] |
26 | Port used by RSFTP - a simple FTP-like protocol. |
79 | Finger protocol[10][44][45] |
81 | TorPark onion routing[verification needed] |
113 | Ident, authentication service/identification protocol,[10][62] used by IRC servers to identify users |
199 | SNMP Unix Multiplexer (SMUX)[79] |
427 | Service Location Protocol (SLP)[10] |
443 | Hypertext Transfer Protocol over TLS/SSL (HTTPS)[10] |
444 | Simple Network Paging Protocol (SNPP), RFC 1568 |
543-544 | klogin, Kerberos login |
548 | Apple Filing Protocol (AFP) over TCP[10] |
873 | rsync file synchronization protocol |
993 | Internet Message Access Protocol over TLS/SSL (IMAPS)[10] |
1025-1029 | Ports > 1024 are designated for dynamic allocation by Windows |
1110 | nfsd-status, Cluster status info |
1900 | Simple Service Discovery Protocol (SSDP),[10] discovery of UPnP devices |
2717 | PN REQUESTER |
3000 | In use by multiple applications |
3128 | Squid caching web proxy |
3986 | mapper-ws_ethd, MAPPER workstation server |
4899 | Radmin (Fama Tech) - remote administration of PCs |
5000 | UPnP—Windows network device interoperability |
5009 | Apple AirPort Admin Utility, AirPort Express Assistant, Xwis (TCP/UDP) |
5051 | ita-agent Symantec Intruder Alert |
5101 | Yahoo Messenger P2P Instant Messages |
5190 | AOL Instant Messenger protocol. The chat app is defunct as of 15 December 2017. |
5631 | pcANYWHEREdata, Symantec pcAnywhere (version 7.52 and later[219])[220] data |
5666 | NRPE (Nagios) |
5800 | VNC Remote Frame Buffer RFB protocol over HTTP |
5900 | Virtual Network Computing (VNC) Remote Frame Buffer RFB protocol |
6000-6001 | X11—used between an X client and server over the network |
6646 | McAfee Network Agent (unofficial) |
8443 | Apache Tomcat SSL |
8888 | HyperVM over HTTPS[citation needed] |
9100 | PDL Data Stream, used for printing to certain network printers |
9999-10000 | In use by multiple applications |
32768 | Red Hat, first ports typically used for outgoing connections by some Linux distros like Red Hat |
49152-49157 | Linux commonly used by applications that utilize a dynamic/random/configurable port |
Next scheduled scan and run scan on demand
From the All Connections index page, when you select a connection you are routed to a screen that provides detailed information for that connection. In the top right corner, you can see the time and date of the next scheduled scan. From there, you can choose to run a scan on demand or activate and deactivate the scan via the status pill.
Last Scan Report
You can pull the Last Scan Report at any time to get a real time view of the current status of your infrastructure.
The report, displayed on the right pane, includes the Scanned Device per Type. To better understand the details provided, we have included the table below.
Status | Description |
---|---|
Scanned Devices |
Total scanned devices per Connection:
|
Devices Updated | Any change in device information, when compared to the previous scan, leads to a database update. |
New Devices Detected | Any device that has responded to a ping request for the first time. |
Responded Devices |
Total number of devices recognized as active:
|
Discarded Devices |
An IP address alone is not a sufficient factor to uniquely identify an asset. Therefore, the discovery process will discard any asset that does not possess a unique identifier, such as a MAC address or serial number. In cases where a MAC address is not detected by the scanner, there are multiple options to provide clarity:
|
Skipped Devices |
Devices that have not been reported for one of the following reasons:
|
Intune
In addition to the table above, you are able to pull fields from your mobile devices via Intune, which is a part of Microsoft Endpoint Manager. Below is a list of data pulled:
- Owner
- Manufacturer
- OS Version
- Serial Number
- IMEI Number
- IP Address
- Wi-Fi Mac
- ICCID
- App List
See Intune configuration for instructions on integrating Intune with SWSD.
Data collection via WMI
Windows Management Instrumentation (WMI) provides the ability to obtain management data from remote computers in an enterprise environment operating on Windows OS. This is accomplished via remote WMI connections made through Distributed Component Object Model (DCOM).
Address security measures
The security measures below must be addressed to ensure proper access to data.
-
Ensure firewall allows WMI access.
-
Disable UAC filter by following these steps:
-
Navigate to Start.
-
Type:
firewall
-
Select Allow a program through Windows Firewall.
-
Select Change settings.
-
Select Windows Management Instrumentation (WMI), and then click OK.
-
-
If it is necessary to allow for a specific user:
-
Run
wmimgmt.msc
. -
Right-click
WMI Control (local)
. -
Select Properties > Security tab > click Security > Add.
-
Type the name of the user into Enter the object names to select.
-
Click Check names, and then click OK.
-
Click Advanced.
-
Double-click the specific user.
-
For Applied to select This namespace and subnamespaces.
-
Select both:
- Remote Enable
- Execute Methods
-
Runnet localgroup "Distributed COM Users" USERNAME /add
-
Replace USERNAME (For example IE11WIN10\IEUser)
-
Credentials for Discovery
SolarWinds recommends using credentials for your scanner connections. To obtain the most information, you must include credentials to allow the scanner access to the connected devices.
Scanning without credentials
The amount of information gathered without the use of credentials is limited. The information gathered without credentials includes:
- IP address
- MAC address
- Operating system
- Host name
- Open ports (services)
Scanning with credentials
By including credentials to allow the Discover Scanner access to connected devices, you can ensure that you collect the most information possible. The table below lists the credentials that require access to the scanned asset.
Credential | Destination port |
---|---|
SNMP | UDP port 161 |
SSH | TCP port 22 |
WMI | TCP port 135 |
The table below provides a detailed description of what is supported along with the network information you need to provide for maximum asset information.
Credential type | Network information needed |
---|---|
SNMP Credentials V3 |
When you select V2, you must include the Name and Community string. |
SSH Credentials Key | When you select this credential type you must provide Name*, Description, Username*, and SSH Private Key* to receive greater visibility into the subnet. |
SSH Credentials (username and password) | When you select this credential type you must provide Name*, Description, Username*, and Password* |
* Reflects required fields |
Although it is not mandatory, SolarWinds highly recommends providing a description so you can better understand your network.