This is intended as a guide for tuning VMware vCenter Application Discovery Manager (ADM)’s passive discovery settings. It is assumed that the desired traffic is being presented to ADM, however, for various reasons, these hosts, services, or connections are not being discovered or presented in the inventory when viewing the GUI.

Several heuristics exist in ADM’s Passive Discovery to limit discovery of hosts, services, and connections to those confirmed to be true dependencies. At times, it may be necessary to change the default settings in ADM to ensure that more items are discovered.

Modifications in the Passive Discovery Plan

VMware recommends using the following settings in the Passive Discovery Scope and Plan if vCenter Application Discovery Manager (ADM) is expected to discover all connections. To change these settings, go to the vCenter ADM GUI and navigate to Manage > Passive Discovery.

1. Set the scope criteria to discover clients to ensure that ADM discovers these elements and their connections. If clients are not discovered, then only connections between two servers are discovered. Connections cannot exist without two endpoints.
    
2. Set the last three criteria to Ignore to prevents ADM from dropping hosts that are only found to be running less interesting services such as an SNMP Agent or an SSH daemon.

These discovery plan rules also ensure that hosts, services or connections are dropped if they are discovered by the listener (aka the passive probe).

Modifications on the Passive Discovery Collectors

1. To edit the file, run these commands:
   
   cd /home/nlayers/Seneca/probe/
vi probe-params.custom.txt
    
2. Add the following switches to the file, at the end of the line. Make sure to leave other pre-existing switches such as -e in the line as well.
   
   -CN 1 -j 2 -p 10 -U -u 20 -W -CM 2
    
3. Restart the listener service to implement the change, by running this command:
   
   adm_control.pl --restart listener

Explanation of changes

• -CN 1
  The minimum number of different connections to a particular endpoint that must be present to declare a service. Each connection must have a different IP address. The default is 3. This means that for an unclassified service to be discovered, we need to see three distinct unique clients connecting to this service.
   
• -j 2
  Waiting period and expiration for unknown service port denylist, measured in seconds. Hosts are monitored for this period before creating an unknown service on them. The default is 3600 (1 hour). This change sets it to 2 seconds.
   
• -p 10
  The maximum number of connections with the same protocol between two hosts. The default is 3. In some cases, if there are more than three connections between two hosts on the same protocol, some connections may be missed while the earlier ones could have aged out as they were classified differently and eventually aged out. This switch decreases the likelihood that some connections can be missed.
   
• -U
  Disables "mute ports" filtering. By default, new TCP/UDP ports are never created based only on the destination side of the packet (they are created if they originate a packet). Using this option disables the default and allows the listener to create TCP/UDP ports based on the destination side only. This may be needed in cases where the traffic presented to ADM is not symmetric and ADM is not recording connections. Use of this switch may lead to false positives in cases where traffic is sent to hosts or services that do not exist.
   
• -u 20
  Sets the maximum number of connections with an unknown protocol between two hosts. The default is 12. In some cases, if there are more than twelve connections between two hosts using unknown protocols, some connections may be missed while the earlier ones could have aged out as they were classified differently and eventually aged out. This switch decreases the likelihood that some connections may be missed.
   
• -W
  This switch allows local IP Addresses for ADM appliances/VMs to not automatically be denylisted. This may result in more traffic being discovered for things like ADM -> ADM traffic, ADM -> GUI traffic, and traffic resulting from Detail Discovery.
   
• -CM 2 (only in ADM 6.2 and above)
  This switch sets the connection maturity age to 2 seconds, from the default of 3600 (1 hour). This allows more unclassified services to be discovered. Decreasing the amount of time ADM needs to see active connections (same session) lessens the chance that unclassified traffic that communications in short bursts can be missed.
  
  Note: The CM switch was not available in vADM versions prior to 6.2. In order to change the Connection Maturity value in previous versions of vADM, modify the value in the base.ppt.xml file. To do so:
   
  1. Run this command:
     
     # vi /home/nlayers/Seneca/probe/resources/base.ppt.xml
      
  2. Find the parameters for the unknown parser, uncomment the line, and change the value from 3600 to 2.
     
     Change from this:
     
     To this:

<param name="connMaturityAge" value="2">
      
  3. After making the change, restart the listener by running this command:

adm_control.pl --restart listener

Modifying ADM port filters to extend TDS and TNS discovery

By default TDS and TNS are only discovered on the following ports.

TDS: 1443, 1433, 5003
TNS: 66, 1515, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529

In order to expand the list of ports, a custom PPT (Protocol Parse Tree) file must be created.

After custom fingerprint files are placed in the resource directory, restart the listener. Make sure the listener is running without errors by tailing the listener.root.log. If it is dying or will not start, there is probably a syntax error or the XML isn't well-formed.