System and method to receive respective copies of communication packets exchanged, over a network, with respective communication endpoints belonging to respective servers, the packets containing respective endpoint identifiers, each of which includes a respective Internet Protocol (IP) address and port number identifying the communication endpoint with which the packet containing the endpoint identifier was exchanged. The processor is further configured to ascertain respective services that use the communication endpoints, by communicating investigative traffic over the network. The processor is further configured to store an association between the communication endpoints and the services, respectively, in the memory, in response to ascertaining the services.