Nmap Announce mailing list archives
XML Output Proposal
From: Fyodor <fyodor () insecure org>
Date: Wed, 16 Aug 2000 22:50:30 -0700 (PDT)
Several people on nmap-dev have sent useful input regarding the XML output format. In particular, Stou Sandalski <tangui () cell2000 net> and Fredrick Paul Eisele <phreed () netarx com> have sent some very good ideas. I started with those and create a sample XML output file that encompasses most of the current features of Nmap (and some future ones as well). I have appended the sample output. Sorry about the long line length. Please send mail to nmap-dev () insecure org (or just me) if you have any comments or suggestions for improvement. You don't have to be a subscriber to mail to that list, but you can become one with a blank email to nmap-dev-subscribe () insecure org . Remember that it can be very hard to change machine-readable output formats once they are defined. So we must take the opportunity to scrutinize it now. Also note that there has to be a balance between readability, output size, and extensibility. <?xml version="1.0" ?> # These pound comments will not appear in actual -oX output # Note this may not be internally consistant (eg options used vs report given) since I'm trying to show a diverse range of features # Also note that this may show some features that Nmap does not currently support (but I want to leave room for nmap enhancements). <!-- nmap (V. 2.54BETA3) scan initiated Tue Aug 15 21:49:21 2000 as: nmap -sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db --> # Info on How Nmap was run <nmaprun args="-sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db" start="966401074" version="2.54BETA3" xmloutputversion="1.0" > <scaninfo type="connect" protocol="tcp" services="1-1024,1100,1400" /> <scaninfo type="udp" protocol="udp" services="1-1024,1100,1400" /> <scaninfo type="ipproto" protocol="ip" services="1-255" /> <verbose level="1" /> <debugging level="0" /> # Info on hosts (each containing port info # note that the addrtype attributes you see will be optional and default to ipv4 <host status="up"> <address addr="192.168.0.24" addrtype="ipv4" /> <address addr="00:C0:F0:48:3A:54" addrtype="mac" /> <hostname name="amy.insecure.org" type="A" /> <hostname name="mail.insecure.org" type="CNAME" /> <hostname name="hopelessly.insecure.org" type="CNAME" /> <os><osmatch name="Linux 2.1.122 - 2.2.16" accuracy="100%" /> <osmatch name="FreeBSD 4.0-Release" accuracy="100%" /> <osmatch name="Linux 2.1.84 - 2.1.121" accuracy="96%" /> <portused state="open" proto="tcp" id="22" /> # OS detection is based on ports it can find to test against <portused state="closed" proto="tcp" id="1" /> </os> <tcpsequence index="2796433" class="random positive increments" difficulty="Worthy Challenge" /> <port protocol="TCP" id="22" owner="root"> <state state="open" conf="5" /> # Conf describes the confidence that the state is correct: 5 might mean "sure" while 2 could be a guess <service name="ssh" conf="3" method="table" /> # Obtained via lookup from nmap-services (see "method"); confidence is 1-5 <service name="xlm4" conf="3" method="table" /> # In case there are more than one service listed as using that port <banner>SSH-1.99-2.0.13 (non-commercial)</banner> </port> <port protocol="TCP" id="80" owner="nobody"> <state state="open" conf="5" /> <service name="http" proto="http" conf="5" method="detection" version="Apache/1.3.12 (Unix) mod_perl/1.24" /> # Detected via some future protocol/version detection system like the Nmap+V patch. </port> <port protocol="TCP" id="32773" owner="root"> <state state="open" conf="5" /> <service name="ttdbserverd" proto="rpc" version="1-2" conf="5" method="detection" /> # RPCgrind also counts as a "detection" method </port> <port protocol="UDP" id="31337"> <state state="filtered" conf="5" /><filteredby><packet proto="ICMP" type="3" code="3" name="ICMP port unreachable" srcipaddr="10.3.7.4" ip_v="4" /></filteredby> <service name="backorifice" conf="3" method="table" /> </port> <traceroute type="udp" port="41702"> <hop distance="0"> # Info like below but regarding src machine </hop> <hop distance="1"> <address addr="10.4.1.7" addrtype="ipv4" /> <hostname name="router.insecure.org" type="A" /> </hop> <hop distance="4"> ... </hop> </traceroute> <timestamp end="966401076" /> # Time we finished with this host </host> <host status="down"> <address addr="192.168.255.255" addrtype="ipv4" /> <smurf responses="417"></smurf> # Smurf (subnet-directed broadcast) address. Not </smurf> because I might want to list the addresses someday <extraports state="filtered" proto="TCP" ids="1-20,400-700,854" /> </host> # Statistics on Nmap run <runstats> <finished time="966401078" timeout=0 /> <hosts up="4" down="16" total="20" /> <!-- Nmap run completed at Tue Aug 15 22:59:22 2000; 20 IP addresses (4 hosts up) scanned in 106 seconds --> </runstats> </nmaprun> -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- XML Output Proposal Fyodor (Aug 16)