Nmap Development mailing list archives
Re: nmap XML output for "down" hosts on -F scans
From: David Fifield <david () bamsoftware com>
Date: Wed, 28 Oct 2009 18:55:51 -0600
On Wed, Oct 28, 2009 at 06:43:55PM -0600, David Fifield wrote:
On Thu, Oct 29, 2009 at 08:33:59AM +0800, Andrew Smith wrote:I'm currently working on a monitoring project using nmap as the scanning/discovery engine. The XML output is being parsed and updated on a MySQL database with a PHP front end to display/filter the results. Running nmap with -sP provides output of both hosts that are up and down, for example: nmap -sP 192.168.2.0/24 -oX nmap-sP-192.168.2.0-24.xml .... <host><status state="down" reason="host-unreach"/> <address addr="192.168.2.6" addrtype="ipv4" /> </host> .... However, if I run nmap as: nmap -F --script smb-os-discovery 192.168.2.0/24 -oX nmap-F-smb-os-discovery-192.168.2.0-24.xml then I only get results for hosts that are "up". I have tried using debug and verbosity (-d9 -vvv) but this doesn't provide any information about "down" hosts. I'm working around this at the moment by running a -sP first pass followed by a -F second pass but it would be more efficient (and reduce the load on the system) by being able to get the status of all hosts in the -F pass.This is the same problem that was reported at http://seclists.org/nmap-dev/2009/q3/1081. Unfortunately there's currently no way to get down hosts in the output when a scan includes a port scan, script scan, or traceroute. The reason is that Nmap removes the down hosts from its internal data structures before doing the further scanning and output. Depending on how much control you have over the parsing, you may be able to work around the problem by doing the first pass with -sL rather than -sP. That will add an entry for every host, with a state of "unknown". You can then subtract the up hosts from the second pass to get the set of down hosts.
Here's a patch for everybody's consideration. What it does is print out a host record for down hosts before they are removed from the internal host lists. The output for down hosts (in normal, grepable, and XML forms) will come all in a block at the top of a host group, not interleaved with up hosts as with ping scan. The output always goes to XML and grepable formats, but requires -v to go to normal output. Index: nmap.cc =================================================================== --- nmap.cc (revision 15952) +++ nmap.cc (working copy) @@ -1747,6 +1747,9 @@ /* I used to check that !currenths->weird_responses, but in some rare cases, such IPs CAN be port successfully scanned and even connected to */ if (!(currenths->flags & HOST_UP)) { + log_write(LOG_XML, "<host>"); + write_host_header(currenths); + log_write(LOG_XML, "</host>\n"); delete currenths; o.numhosts_scanned++; continue; David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans Fyodor (Nov 03)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Nov 15)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)