Detecting Specific Server and Client Port Usage
The Show Connections configuration parameter keeps track of host communication within the focus network. When the Show Connections configuration parameter is enabled, if one of the hosts is in the defined focus network, NNM records the client, server, and server port every time a host connects to another host. It does not track the frequency or time stamp of the connections – just that a connection was made.
Show Connections configuration parameter provides a greater level of detail than the Connections to Services configuration parameter. For example, if your IPv4 address is 184.108.40.206 or your IPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to connect to “some_company.com”, then the use of these options records the following:
2001:DB8::AE59:3FC2 -> some_company.com
Connections to Services
2001:DB8::AE59:3FC2 -> SSH
Using the Connections to Services configuration parameter lets you know that the system at 220.127.116.11 and 2001:DB8::AE59:3FC2 uses the SSH protocol. This information may be useful regardless of where the service is used.
NNM does not log a session-by-session list of communications. Instead, it logs the relationship between the systems. For example, if system A is detected using the SSH protocol on port 22 connecting to system B, and both systems are within the focus network, NNM would log:
- System A browses on port 22
- System B offers a service (listens) on port 22
- System A communicates with System B on port 22
If system B were outside of the focus network, NNM would not record anything about the service system B offers, and would also log that system A browses outside of the focus network on port 22. NNM does not log how often a connection occurs, only that it occurred at least once. For connections outside of the focus network, NNM logs only which ports are browsed, not the actual destinations.
Note: If logging session-by-session network events is a requirement for your network analysis, Tenable offers the LCE product, which can log firewall, web server, router, and sniffer logs.