Nmap Development mailing list archives

Re: Inconsistency in nmap XML output

From: David Schmalz <dvs () zurich ibm com>
Date: Wed, 10 Nov 2004 14:24:31 +0100

On Wed, 2004-11-10 at 05:35, Fyodor wrote:

On Mon, Nov 01, 2004 at 01:53:21PM +0100, David Schmalz wrote:

Hi everyone,

I'd like to report a minor inconsistency in the nmap XML output (tested
with versions 3.70 and 3.75). When performing an 'ping' scan, all the
hosts that are down are explicitely enumerated in the resulting XML
file. However, when I launch a full port and OS fingerprinting scan and
all the scanned hosts are actually down, no enumeration is included in
the file. This obviously prevents to define a consistent parsing
procedure.


I have mixed feelings about printing the down hosts.  It is done for a
ping scan, since the whole point of that scan type is to determine
what systems are up or down.  For a more intrusive scan, I suspect
most apps don't care about the down hosts.  Nmap doesn't print them on
its normal output unless verbosity is requested.      

Also, to print all the hosts in the right order, Nmap would have to
save down hosts around until it is finished scanning the up hosts.
That would be a bit of a pain to implement.


I thought that since the function was already available for ping scans,
this would be easy to enable also for port scans, hence my question :-).

Also, it oculd
substantially enlarge the output.  For example, the guy I just replied
to was scanning 24 million addresses with most of them down.  A down
host takes about 85 bytes in XML.  So the logs would be an extra 2GB
if 23.5M of the hosts are down.


That's right but I'd really like to be able to enable the function with
-v as you propose below. Then, it would be up to the user to decide if
he/she wants to generate huge files, containing maybe only down hosts.

Maybe the down hosts should only be printed (in ping or port scan
mode) with -v, as they are in normal output.  If I hear sufficient
demand from people, I'll implement that (like I said, it is a bit of a
pain).


The only good reason that I see for implementing this feature is to keep
a consistent XML output, regardless of the type of scan which is
performed. I don't know though if this is a widely needed feature.

Thanks for your answer and time, 
David



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Inconsistency in nmap XML output David Schmalz (Nov 01)
- Re: Inconsistency in nmap XML output Fyodor (Nov 09)
  - Re: Inconsistency in nmap XML output Dual Mobius (Nov 09)
    - Re: Inconsistency in nmap XML output Joshua T. Corbin (Nov 10)
    - Re: Inconsistency in nmap XML output Matt (Nov 10)
    - Re: Inconsistency in nmap XML output Dual Mobius (Nov 10)
    - Re: Inconsistency in nmap XML output Dual Mobius (Nov 10)
  - Re: Inconsistency in nmap XML output David Schmalz (Nov 10)