Probe Profiles
A Probe Profile is a reusable, named set of scan settings. Instead of choosing how deep to scan, how fast to go, and what extra information to gather every time, you save those choices once as a profile and reuse it everywhere a scan happens.
A profile controls four things:
- Depth — how many ports each host is checked for.
- Aggression — how fast and how parallel the scan runs.
- Enrichment — whether to grab service banners and HTTP headers on open ports.
- Classify — whether to try a set of device-class credentials to identify unknown hosts.
Where profiles are used
Section titled “Where profiles are used”The same profile drives every place GridNMS probes a host:
| Where | What it does |
|---|---|
| Per-network scheduled scanning | A network can run a profile on a schedule to keep its inventory and open-port map current. |
| Scheduled discovery | Periodically sweeps a network with a profile to find new hosts and (optionally) classify them. |
| Probe Host (per-device action) | A one-off Probe Host action on a single device runs a profile against just that host on demand. |
Because it’s one shared setting, a scan behaves identically whether it was kicked off by a schedule or by hand — only the trigger differs.
Depth — how many ports
Section titled “Depth — how many ports”Depth selects which set of TCP ports each host is checked against. Deeper tiers find more services but take longer and generate more traffic.
| Depth | Ports checked | Use it for |
|---|---|---|
| Low | ~20 most common ports | Quick “what’s here?” sweeps, large ranges, sensitive networks. |
| Medium | ~100 common service ports | The default — covers the services most environments run. |
| High | ~1000 ports | Onboarding an unfamiliar network where you want the fullest picture. |
| Explicit | Exactly the ports you specify | When you know precisely which ports matter. |
Low — the full list
Section titled “Low — the full list”Low checks these ~20 ports — the services found on the overwhelming majority of hosts:
21 FTP 161 SNMP22 SSH 179 BGP23 Telnet 443 HTTPS25 SMTP 445 SMB53 DNS 514 Syslog80 HTTP 587 SMTP (submission)110 POP3 993 IMAPS143 IMAP 995 POP3S 3306 MySQL 3389 RDP 8080 HTTP-alt 8443 HTTPS-altMedium — the common service set
Section titled “Medium — the common service set”Medium expands to roughly the top 100 ports: everything in Low plus the common
services across infrastructure, web, databases, mail, and remote management. A few
representative additions: 88 (Kerberos), 135/139 (Windows RPC/NetBIOS), 389
(LDAP), 636 (LDAPS), 1433 (SQL Server), 1521 (Oracle), 3268 (Global
Catalog), 5432 (PostgreSQL), 5900 (VNC), 6379 (Redis), 8000/8081/8888
(web apps), 9090/9100/9200 (metrics/printing/search), 27017 (MongoDB). This
is the right depth for day-to-day scanning.
High — the deep sweep
Section titled “High — the deep sweep”High covers roughly the top 1000 ports: nearly all well-known ports (1–1024) plus a broad sweep of the registered ranges where services commonly live. It finds services on unusual ports that the lighter tiers miss, at the cost of being the slowest and noisiest tier. Reserve it for trusted internal networks you’re getting to know.
Explicit — your own port list
Section titled “Explicit — your own port list”Choose Explicit to scan exactly the ports you name. Accepts a comma-separated mix of single ports and ranges, for example:
22,80,443,8000-8100You can also enter all (or *, or 1-65535) to scan every port — useful for a
deep audit of a single host, but heavy on a whole subnet.
Aggression — how fast
Section titled “Aggression — how fast”Aggression controls the scan’s timing and concurrency — how many hosts and ports are checked in parallel. It does not change how many ports are scanned; that’s depth. The two settings are independent: you can run a deep scan gently, or a shallow scan fast.
| Aggression | Behaviour |
|---|---|
| Low | Few hosts and ports in parallel. Slowest, gentlest, least network noise. |
| Medium | A balanced rate. The default for most networks. |
| High | Many hosts and ports at once. Fastest, but the heaviest load on the network and the hosts being scanned. |
Banner Grab
Section titled “Banner Grab”With Banner Grab enabled, when the scan finds an open port it reads the service’s banner — the small identifying string a service returns on connect:
- the HTTP
Serverheader on web ports, - the SSH version string on SSH ports,
- TLS certificate details (such as the certificate’s common name) on encrypted ports.
Banners produce much richer, more accurate service labels — the difference between
“port 443 open” and “nginx on 443 with a cert for app.example.com.” Banner Grab
is also what lets GridNMS confirm a host is reachable for SSH polling: seeing an
open SSH port with a valid banner tells the SSH collector the device is ready to be
polled.
HTTP Headers
Section titled “HTTP Headers”HTTP Headers goes a step further than the banner on web ports: it captures the
full set of HTTP response headers the server returns, not just the Server
line. This gives you the complete header picture for a web service — useful for
identifying frameworks, proxies, and security headers.
Classify (credentialed discovery)
Section titled “Classify (credentialed discovery)”Classify turns a scan into credentialed discovery: GridNMS tries to log in to an unknown host to find out what it actually is.
Here’s how it works:
- The profile names a set of candidate device classes.
- Against an unknown host, GridNMS tries the SNMP and SSH credentials configured on those classes.
- If one set of credentials authenticates successfully, that tells GridNMS what the host is — it’s whatever the matching class describes (a Cisco switch, a Linux server, and so on).
- The host is then flagged as a promotion candidate: you can add it to inventory as that class, with its credentials already resolved.
Tuning tips
Section titled “Tuning tips”- Start at Medium depth / Medium aggression. It finds the services most networks run without hammering anything.
- Deeper and more aggressive scans hit hosts harder. High depth checks far more ports, and High aggression sends them all at once. On production or sensitive networks, prefer lower settings or scan during quiet hours.
- Depth and aggression are separate dials. If you need a thorough scan but want to be gentle, pair High depth with Low aggression.
- Scans stay within assigned networks. A collector only probes the networks it has been assigned — any target outside those networks is skipped. This boundary applies to every profile and every trigger.
- Enable Classify only with credentials you trust. It tries real logins; scope the candidate classes to the kinds of devices you actually expect on the network.
Where to go next
Section titled “Where to go next”- Run a scan from Network Discovery.
- Set up the credentials Classify uses in Device Classes.
- See how discovered hosts connect in Topology & Neighbors.