Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

XML Output Proposal

From: Fyodor <fyodor () insecure org>
Date: Wed, 16 Aug 2000 22:50:30 -0700 (PDT)


Several people on nmap-dev have sent useful input regarding the XML output
format.  In particular, Stou Sandalski <tangui () cell2000 net> and Fredrick
Paul Eisele <phreed () netarx com> have sent some very good ideas.  I started
with those and create a sample XML output file that encompasses most of
the current features of Nmap (and some future ones as well).

I have appended the sample output.  Sorry about the long line length.  
Please send mail to nmap-dev () insecure org (or just me) if you have any
comments or suggestions for improvement.  You don't have to be a
subscriber to mail to that list, but you can become one with a blank email
to nmap-dev-subscribe () insecure org .  Remember that it can be very hard to
change machine-readable output formats once they are defined.  So we must
take the opportunity to scrutinize it now.  Also note that there has to be
a balance between readability, output size, and extensibility.

<?xml version="1.0" ?>
# These pound comments will not appear in actual -oX output
# Note this may not be internally consistant (eg options used vs report given) since I'm trying to show a diverse range 
of features
# Also note that this may show some features that Nmap does not currently support (but I want to leave room for nmap 
enhancements).
<!-- nmap (V. 2.54BETA3) scan initiated Tue Aug 15 21:49:21 2000 as: nmap -sT -I -sR -O -p- -oM /tmp/smploutput.mlog 
localhost db -->
# Info on How Nmap was run
<nmaprun args="-sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db" start="966401074" version="2.54BETA3" 
xmloutputversion="1.0" >
<scaninfo type="connect" protocol="tcp" services="1-1024,1100,1400" />
<scaninfo type="udp" protocol="udp" services="1-1024,1100,1400" />
<scaninfo type="ipproto" protocol="ip" services="1-255" />
<verbose level="1" />
<debugging level="0" />

# Info on hosts (each containing port info
# note that the addrtype attributes you see will be optional and default to ipv4
<host status="up">
<address addr="192.168.0.24" addrtype="ipv4" />
<address addr="00:C0:F0:48:3A:54" addrtype="mac" />
<hostname name="amy.insecure.org" type="A" />
<hostname name="mail.insecure.org" type="CNAME" />
<hostname name="hopelessly.insecure.org" type="CNAME" />
<os><osmatch name="Linux 2.1.122 - 2.2.16" accuracy="100%" />
    <osmatch name="FreeBSD 4.0-Release" accuracy="100%" />
    <osmatch name="Linux 2.1.84 - 2.1.121" accuracy="96%" />
    <portused state="open" proto="tcp" id="22" />  # OS detection is based on ports it can find to test against
    <portused state="closed" proto="tcp" id="1" />
</os>
<tcpsequence index="2796433" class="random positive increments" difficulty="Worthy Challenge" />
<port protocol="TCP" id="22" owner="root">
   <state state="open" conf="5" /> # Conf describes the confidence that the state is correct: 5 might mean "sure" while 
2 could be a guess
   <service name="ssh" conf="3" method="table" /> # Obtained via lookup from nmap-services (see "method"); confidence 
is 1-5
   <service name="xlm4" conf="3" method="table" /> # In case there are more than one service listed as using that port
   <banner>SSH-1.99-2.0.13 (non-commercial)</banner>
</port>
<port protocol="TCP" id="80" owner="nobody">
   <state state="open" conf="5" />
   <service name="http" proto="http" conf="5" method="detection" version="Apache/1.3.12 (Unix) mod_perl/1.24" /> # 
Detected via some future protocol/version detection system like the Nmap+V patch.
</port>
<port protocol="TCP" id="32773" owner="root">
   <state state="open" conf="5" />
   <service name="ttdbserverd" proto="rpc" version="1-2" conf="5" method="detection" /> # RPCgrind also counts as a 
"detection" method
</port>
<port protocol="UDP" id="31337">
   <state state="filtered" conf="5" /><filteredby><packet proto="ICMP" type="3" code="3" name="ICMP port unreachable" 
srcipaddr="10.3.7.4" ip_v="4" /></filteredby>
   <service name="backorifice" conf="3" method="table" />
</port>
<traceroute type="udp" port="41702">
  <hop distance="0"> # Info like below but regarding src machine </hop>
  <hop distance="1">
     <address addr="10.4.1.7" addrtype="ipv4" />
     <hostname name="router.insecure.org" type="A" />
  </hop>
  <hop distance="4"> ... </hop>
</traceroute>
<timestamp end="966401076" /> # Time we finished with this host
</host>
<host status="down">
<address addr="192.168.255.255" addrtype="ipv4" />
<smurf responses="417"></smurf>  # Smurf (subnet-directed broadcast) address.  Not </smurf> because I might want to 
list the addresses someday
<extraports state="filtered" proto="TCP" ids="1-20,400-700,854" />
</host>

# Statistics on Nmap run
<runstats>
<finished time="966401078" timeout=0 />
<hosts up="4" down="16" total="20" />
<!-- Nmap run completed at Tue Aug 15 22:59:22 2000; 20 IP addresses (4 hosts up) scanned in 106 seconds -->
</runstats>
</nmaprun>








--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: