Detecting Specific Server and Client Port Usage

The Show Connections configuration parameter keeps track of host communication within the focus network. When the Show Connections configuration parameter is enabled, if one of the hosts is in the defined focus network, NNM records the client, server, and server port every time a host connects to another host. It does not track the frequency or time stamp of the connections – just that a connection was made.

The Show Connections configuration parameter provides a greater level of detail than the Connections to Services configuration parameter. For example, if your IPv4 address is or your IPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to connect to “”, then the use of these options records the following:


Show Connections

2001:DB8::AE59:3FC2 ->


Connections to Services


2001:DB8::AE59:3FC2 -> SSH


Using the Connections to Services configuration parameter lets you know that the system at and 2001:DB8::AE59:3FC2 uses the SSH protocol. This information may be useful regardless of where the service is used.

NNM does not log a session-by-session list of communications. Instead, it logs the relationship between the systems. For example, if system A is detected using the SSH protocol on port 22 connecting to system B, and both systems are within the focus network, NNM would log:

  • System A browses on port 22
  • System B offers a service (listens) on port 22
  • System A communicates with System B on port 22

If system B were outside of the focus network, NNM would not record anything about the service system B offers, and would also log that system A browses outside of the focus network on port 22. NNM does not log how often a connection occurs, only that it occurred at least once. For connections outside of the focus network, NNM logs only which ports are browsed, not the actual destinations.

Note: If logging session-by-session network events is a requirement for your network analysis, Tenable offers the LCE product, which can log firewall, web server, router, and sniffer logs.