Re: Design decisions

[Fyodor <fyodor () insecure org>]

On Thu, Dec 19, 2002 at 10:58:38PM +0100, R Anderson wrote:
> Greetings, F[ry]odor and everyone

I'm Fyodor again :).

> 1. I have a working patch that adds intermediate ICMP's received, per 
> the schema proposal, to XML output. 

Sounds cool -- I have wanted this sort of behavior for a while.  Does
it work with all the "raw" scan types (where reasonable)?  Is it
generic enough to store the reason for a port state (eg host
unreachable, admin prohibited by firewall, RST, etc) and the souce IP
that gave us the packet?

> - Never collate ports in the XML output. I thought this was the obvious 
> solution until I realised it will lead to unnecessary large XML files 
> when scanning 128K ports :^)

Youch.  Yeah, that is 2.5MB/host if you add just 20 extra bytes -- and
it would likely take 40+ bytes.

> - Always include the filtered ports that have extra info. This is 
> sensible, right?

But in many cases the "extra info" will be available and the same for
every closed or filtered port except for a handful in other states.
Perhaps the "ignored" tag could include the state as well as the
reason information for the one "ignored" (eg most common)
state/reason.  Then you could list the ports wich don't match that
state AND reason.

> 2. If I want to include non-intermediate ICMP in the XML output (eg. a 
> strange message from the target itself, perhaps on just some ports), how 
> should I encode it? By leaving out the "srcipaddr" or by filling it in 
> with the target address? I prefer leaving the srcipaddr property out. Or 
> should we modify the schema a little?

What schema are you referring to?  One of my old XML proposals?  The
DTD?  Something else?

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).