Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

New Ndiff utility available

From: David Fifield <david () bamsoftware com>
Date: Thu, 18 Sep 2008 18:48:51 -0600
Hello all,

I just added Ndiff, a new utility that compares Nmap XML files. The
program is descended from work done this summer by Michael Pattrick
during the Summer of Code. Some of Michael's posts are here:

http://seclists.org/nmap-dev/2008/q2/0723.html
http://seclists.org/nmap-dev/2008/q2/0877.html

Ndiff takes as input two Nmap XML files and shows what changed between
them. Try it out with the example files it comes with:

$ cd nmap
$ ndiff/ndiff ndiff/test-scans/random-1.xml ndiff/test-scans/random-2.xml
Thu Sep 11 11:39:32 2008 -> Tue Sep 16 13:59:22 2008
cuvtdnray-504.example.com (10.214.143.33):
        Host is up, was unknown.
        Add ipv4 address 10.214.143.33.
        Add hostname cuvtdnray-504.example.com.
        3389/tcp is open.
        999 tcp ports are filtered.
scnqxez-842.example.com (10.189.71.117):
        Remove hostname scnqxez-842.example.com.
10.226.19.80:
        21/tcp is open, was filtered.
        23/tcp is open, was filtered.
        80/tcp is open, was filtered.
        8701/tcp is filtered, was open.
ywnleu-108.example.com (10.242.160.155):
        Host is up, was unknown.
        Add ipv4 address 10.242.160.155.
        Add hostname ywnleu-108.example.com.
        1000 tcp ports are filtered.

Those are two scans of 150 random IP addresses, done about five days
apart.

The differences reported by the program include host state changes,
host name changes, and port state changes. More types of changes, like
host address changes, service changes, and OS changes could be supported
in the future.

Ndiff also has an XML output mode, which you activate with the --xml
command-line option. There's no software that uses the XML yet, but it
might be used by Zenmap in the future.

I would like to hear your comments. I think the program will have
trouble with DHCP situations where hosts change their IP addresses.
Ndiff just compares addresses when deciding which hosts to diff. I'd
like to get an idea of how bad the problem is before taking steps to
change it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: