Nmap Development mailing list archives

[RFC] Ndiff

From: "Michael Pattrick" <mpattrick () rhinovirus org>
Date: Sun, 15 Jun 2008 15:55:55 -0400

Hey everyone,

David said it better then I can:
On Sun, Jun 15, 2008 at 3:02 PM, David Fifield <david () bamsoftware com> wrote:

The real problems is that Zenmap's comparison doesn't answer the
questions a users wants answered: Are there new hosts on the network?
Did any machines go down? Any new ports? Web server still running?
Zenmap just gives you a jumble of colored text and asks you to figure it
out.


Nmap could use a program that intelligently compare XML output files,
instead of just doing the type of diff that Zenmap currently uses, we
could be parsing the files and outputting an intelligent diff that
better reflects the differences in network state. This diff file could
then be used by Zenmap or a third party program for visualization.

Here is a partial example of how the differences could be represented
in XML. The new tags <addhost> <delhost> <chghost> are used to express
changes in the host state. Inside the *host tags <chg(state/service)
is paired with <old(state/service) to show what has changed, both <add
and <del (port/state/service) are unpaired because their changes are
obvious.

<nmapdiff startdate="12/4/07" starttime="13:31:42" enddate="12/4/08"
endtime="21:04:26" >

<chghost>
 <address addr="10.9.8.7" addrtype="ipv4" />
   <addport protocol="tcp" portid="53">
     <addstate state="open" />
     <addservice name="domain" product="ISC BIND" version="9.2.1"
method="probed" conf="10" /> </addport>
    <chgport protocol="tcp" portid="80"> <state state="open" />
     <chgservice name="http" product="Apache httpd" version="2.0.39"
conf="10" method="probed" />
     <oldservice name="http" product="Microsoft ISS" version="11"
conf="10" method="probed" />
    </chgport>
</chghost>

<addhost>
 <address addr="192.168.2.1" addrtype="ipv4" />
   <addport protocol="tcp" portid="21"> <addstate state="open" />
     <addservice name="ftp" product="ftpd" version="1" method="probed"
conf="10" /> </addport>
   <addport protocol="tcp" portid="8080"> <addstate state="open" />
     <addservice name="http" product="Apache httpd" version="2.0.39"
conf="10" method="probed" /> </addport>
</addhost>

<delhost>
 <address addr="192.168.2.100" addrtype="ipv4" />
   <delport protocol="tcp" portid="21"> <delstate state="open" />
     <delservice name="ftp" product="ftpd" version="1" method="probed"
conf="10" /> </addport>
   <delport protocol="tcp" portid="8080"> <delstate state="open" />
     <delservice name="http" product="Apache httpd" version="2.0.39"
conf="10" method="probed" /> </addport>
</delhost>

<runstats>
     <addhost address="192.168.2.1" reason="reset"/>
     <delhost address="192.168.2.100"/>
</runstats>

</nmapdiff>

The differences could also be outputted in a more readable format such as:
12/4/07 - 13:31:42 -> 12/4/08 - 21:04:26
    10.9.8.7
        Port 53/tcp is now open, was filtered
        Port 53/tcp is now listening with ISC BIND
        Port 80/tcp is now listening with Apache httpd, was Microsoft ISS
    192.168.2.1
        Host 192.168.2.1 has come online.
        Port 21/tcp is now listening with ftpd
        Port 8080/tcp is now listening with Apche httpd


There is also the matter of the language I would implement this in,
Ive given it some thought and heres what I'm thinking:
PERL
Pros:
 - Many parsers and applications for Nmap's XML format already written
in this language.
Cons:
 - Nmap would have to list PERL as an optional requirement.

Python:
Pros:
 - Easy integration with Zenmap
 - Nmap already relies on Python for Zenmap, no extra dependencies.
Cons:
 - It seems that the only Nmap XML parser(xml-expert) is dead.
 - I'm not particularly fond of python.

C++:
Pros:
 - Easy integration with Nmap/Zenmap
 - Possible future integration for XML parsing with Nmap, resuming
scans and etc.
Cons:
 - I couldn't find any prior work, so I would probably end up working
with LibXML2

As you can see, there are still a lot of unresolved details, I would
appreciate any input on this. Here are some of the requirements that
David gave me:
* It must read Nmap XML files. (It is explicitly not a requirement to
read any other type of output file.)
* It must compare two output files at a time.
* It must show which hosts have come up or gone down.
* It must show when a port has changed state.
* It must support comparing output files coming from different scans
(different Nmap options or different target specifications).
* It must allow output in English text.
* It must allow output in XML, with a format and DTD to be determined.

Cheers,
Michael

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[RFC] Ndiff Michael Pattrick (Jun 15)
- RE: [RFC] Ndiff Thomas Buchanan (Jun 15)
  - Re: [RFC] Ndiff Michael Pattrick (Jun 15)
  - Re: [RFC] Ndiff David Fifield (Jun 15)