Skip to content

Probe Profiles

A Probe Profile is a reusable, named set of scan settings. Instead of choosing how deep to scan, how fast to go, and what extra information to gather every time, you save those choices once as a profile and reuse it everywhere a scan happens.

A profile controls four things:

  • Depth — how many ports each host is checked for.
  • Aggression — how fast and how parallel the scan runs.
  • Enrichment — whether to grab service banners and HTTP headers on open ports.
  • Classify — whether to try a set of device-class credentials to identify unknown hosts.

The same profile drives every place GridNMS probes a host:

Where What it does
Per-network scheduled scanning A network can run a profile on a schedule to keep its inventory and open-port map current.
Scheduled discovery Periodically sweeps a network with a profile to find new hosts and (optionally) classify them.
Probe Host (per-device action) A one-off Probe Host action on a single device runs a profile against just that host on demand.

Because it’s one shared setting, a scan behaves identically whether it was kicked off by a schedule or by hand — only the trigger differs.

Depth selects which set of TCP ports each host is checked against. Deeper tiers find more services but take longer and generate more traffic.

Depth Ports checked Use it for
Low ~20 most common ports Quick “what’s here?” sweeps, large ranges, sensitive networks.
Medium ~100 common service ports The default — covers the services most environments run.
High ~1000 ports Onboarding an unfamiliar network where you want the fullest picture.
Explicit Exactly the ports you specify When you know precisely which ports matter.

Low checks these ~20 ports — the services found on the overwhelming majority of hosts:

21 FTP 161 SNMP
22 SSH 179 BGP
23 Telnet 443 HTTPS
25 SMTP 445 SMB
53 DNS 514 Syslog
80 HTTP 587 SMTP (submission)
110 POP3 993 IMAPS
143 IMAP 995 POP3S
3306 MySQL
3389 RDP
8080 HTTP-alt
8443 HTTPS-alt

Medium expands to roughly the top 100 ports: everything in Low plus the common services across infrastructure, web, databases, mail, and remote management. A few representative additions: 88 (Kerberos), 135/139 (Windows RPC/NetBIOS), 389 (LDAP), 636 (LDAPS), 1433 (SQL Server), 1521 (Oracle), 3268 (Global Catalog), 5432 (PostgreSQL), 5900 (VNC), 6379 (Redis), 8000/8081/8888 (web apps), 9090/9100/9200 (metrics/printing/search), 27017 (MongoDB). This is the right depth for day-to-day scanning.

High covers roughly the top 1000 ports: nearly all well-known ports (1–1024) plus a broad sweep of the registered ranges where services commonly live. It finds services on unusual ports that the lighter tiers miss, at the cost of being the slowest and noisiest tier. Reserve it for trusted internal networks you’re getting to know.

Choose Explicit to scan exactly the ports you name. Accepts a comma-separated mix of single ports and ranges, for example:

22,80,443,8000-8100

You can also enter all (or *, or 1-65535) to scan every port — useful for a deep audit of a single host, but heavy on a whole subnet.

Aggression controls the scan’s timing and concurrency — how many hosts and ports are checked in parallel. It does not change how many ports are scanned; that’s depth. The two settings are independent: you can run a deep scan gently, or a shallow scan fast.

Aggression Behaviour
Low Few hosts and ports in parallel. Slowest, gentlest, least network noise.
Medium A balanced rate. The default for most networks.
High Many hosts and ports at once. Fastest, but the heaviest load on the network and the hosts being scanned.

With Banner Grab enabled, when the scan finds an open port it reads the service’s banner — the small identifying string a service returns on connect:

  • the HTTP Server header on web ports,
  • the SSH version string on SSH ports,
  • TLS certificate details (such as the certificate’s common name) on encrypted ports.

Banners produce much richer, more accurate service labels — the difference between “port 443 open” and “nginx on 443 with a cert for app.example.com.” Banner Grab is also what lets GridNMS confirm a host is reachable for SSH polling: seeing an open SSH port with a valid banner tells the SSH collector the device is ready to be polled.

HTTP Headers goes a step further than the banner on web ports: it captures the full set of HTTP response headers the server returns, not just the Server line. This gives you the complete header picture for a web service — useful for identifying frameworks, proxies, and security headers.

Classify turns a scan into credentialed discovery: GridNMS tries to log in to an unknown host to find out what it actually is.

Here’s how it works:

  1. The profile names a set of candidate device classes.
  2. Against an unknown host, GridNMS tries the SNMP and SSH credentials configured on those classes.
  3. If one set of credentials authenticates successfully, that tells GridNMS what the host is — it’s whatever the matching class describes (a Cisco switch, a Linux server, and so on).
  4. The host is then flagged as a promotion candidate: you can add it to inventory as that class, with its credentials already resolved.
  • Start at Medium depth / Medium aggression. It finds the services most networks run without hammering anything.
  • Deeper and more aggressive scans hit hosts harder. High depth checks far more ports, and High aggression sends them all at once. On production or sensitive networks, prefer lower settings or scan during quiet hours.
  • Depth and aggression are separate dials. If you need a thorough scan but want to be gentle, pair High depth with Low aggression.
  • Scans stay within assigned networks. A collector only probes the networks it has been assigned — any target outside those networks is skipped. This boundary applies to every profile and every trigger.
  • Enable Classify only with credentials you trust. It tries real logins; scope the candidate classes to the kinds of devices you actually expect on the network.