Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ndiff mark II

From: David Fifield <david () bamsoftware com>
Date: Thu, 26 Mar 2009 16:06:10 -0600
On Thu, Mar 26, 2009 at 01:51:11PM -0600, David Fifield wrote:

The branch doesn't support XML output becuase I think that should be
redesigned too. That means it won't work with Zenmap currently.


I want to solicit advice for representing differences in XML output.
Current Ndiff enumerates each discrete change as an XML element:

<nmapdiff>
  <scandiff a-start="1221154772" b-start="1221595162">
    <host>
      <address addr="10.214.143.33" addrtype="ipv4"/>
      <hostname name="cuvtdnray-504.example.com"/>
      <host-state-change a-state="unknown" b-state="up"/>
      <host-address-add>
        <address addr="10.214.143.33" addrtype="ipv4"/>
      </host-address-add>
      <host-hostname-add>
        <hostname name="cuvtdnray-504.example.com"/>
      </host-hostname-add>
      <port-state-change a-state="unknown" b-state="filtered" portid="1" protocol="tcp"/>
      <port-state-change a-state="unknown" b-state="filtered" portid="3" protocol="tcp"/>
      ...

I think we can get a more intuitive and less verbose output by being
more like Nmap XML output. Here's sample XML corresponding to the text
snippet:

 10.226.19.80:
-Not shown: 999 filtered ports
+Not shown: 997 filtered ports
 PORT     STATE SERVICE VERSION
+21/tcp   open  ftp     Netgear broadband router ftpd 1.0
+23/tcp   open  telnet  Netgear broadband router admin telnetd
+80/tcp   open  http    Embedded Allegro RomPager webserver 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
-8701/tcp open  unknown

<nmapdiff>
  <scandiff>
    <a/>
    <b>
      <host>
        <status state="up"/>
        <address addr="10.214.143.33" addrtype="ipv4" />
        <hostnames>
          hostname name="cuvtdnray-504.example.com" type="PTR" />
        </hostnames>
        <ports>
          <extraports state="filtered" count="999"/>
          <port protocol="tcp" portid="3389">
            <state state="open"/>
            <service name="microsoft-rdp" product="Microsoft Terminal Service" ostype="Windows"/>
          </port>
        </ports>
      </host>
    </b>

    <host>
      <status state="up"/>
      <address addr="10.226.19.80" addrtype="ipv4"/>
      <ports>
        <a>
          <extraports state="filtered" count="999"/>
        </a>
        <b>
          <extraports state="filtered" count="997"/>
        </b>
        <a/>
        <b>
          <port protocol="tcp" portid="21">
            <state state="open"/>
            <service name="ftp" product="Netgear broadband router ftpd" version="1.0" devicetype="router"/>
          </port>
        </b>
        <a/>
        <b>
          <port protocol="tcp" portid="23">
            <state state="open"/>
            <service name="telnet" product="Netgear broadband router admin telnetd" devicetype="broadband router"/>
          </port>
        </b>
        <a/>
        <b>
          <port protocol="tcp" portid="80">
            <state state="open"/>
            <service name="http" product="Embedded Allegro RomPager webserver" version="4.07 UPnP/1.0" extrainfo="ZyXEL 
ZyWALL 2"/>
          </port>
        </b>
        <a>
          <port protocol="tcp" portid="8701">
            <state state="open"/>
            <service name="unknown"/>
          </port>
        </a>
        <b/>
      </ports>
    </host>
  </scandiff>
</nmapdiff>

The <a> and <b> elements show what was present in the A and B scans
respectively. An <a> element must always be followed immediately by a
<b> element, even if one of those is empty. Is this a reasonable way to
do the diff? What other methods of representing differences in XML are
there?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: