Nmap Development mailing list archives
Re: nmap XML output for "down" hosts on -F scans
From: David Fifield <david () bamsoftware com>
Date: Mon, 16 Nov 2009 00:38:05 -0700
On Tue, Nov 03, 2009 at 03:15:02AM -0800, Fyodor wrote:
On Wed, Oct 28, 2009 at 06:55:51PM -0600, David Fifield wrote:Here's a patch for everybody's consideration. What it does is print out a host record for down hosts before they are removed from the internal host lists. The output for down hosts (in normal, grepable, and XML forms) will come all in a block at the top of a host group, not interleaved with up hosts as with ping scan. The output always goes to XML and grepable formats, but requires -v to go to normal output.Hi David. This is an interesting idea. I tested your simple patch, and it seems to work. Here are my notes: o In interactive mode, I see a bunch of lines like Nmap scan report for 64.13.134.93 Host is down. Nmap scan report for 64.13.134.95 Host is down. Nmap scan report for 64.13.134.96 Host is down. This is a similar issue to the one we dealt with for -sL where it was using two lines per skipped host. In that case we removed the "Host not scanned" lines, but I'm not sure what we should do here. Leaving two lines per down host might be OK, though I'm tempted to add the information to the scan report line like: Nmap scan report for 64.13.134.95 [host down] Nmap scan report for 64.13.134.96 [host down] Up hosts could still be handled as they currently are: Nmap scan report for gw.cust-cedera.svcolo.com (64.13.134.81) Host is up (0.26s latency). Requiring verbose mode, as you do, sounds reasonable for normal/interactive output. o In normal output (-oN), I get: Nmap scan report for 64.13.134.158 Nmap scan report for 64.13.134.159 Nmap scan report for 64.13.134.160 Nmap scan report for 64.13.134.161 Here we only have one line per host, but it doesn't mention the host state. I'd rather this be handled the same way as interactive output. o XML output A down host entry looks like: <host><status state="down" reason="no-response"/> <address addr="64.13.134.207" addrtype="ipv4" /> </host> That is about 100 bytes, so we could have 10K down hosts per megabyte of log file size. So a class B address space would take abotu 7 MB if all the hosts are down. That sounds reasonable. I think your idea of writing these to the XML files in all cases (e.g. without requiring -v) is a good one. If people complain about space usage when they scan sparse networks, we could always add an option to omit those. o The grepable output looks like: Host: 64.13.134.77 () Status: Down Host: 64.13.134.78 () Status: Down Host: 64.13.134.79 () Status: Down That is fine. o As you noted, the down hosts are presented in the "wrong" order. I don't think that is a big problem. So, overall I think it is a good patch. But befor it is applied I think normal mode should be fixed to show the down status and we should figure out what to do about interactive mode (one or two lines).
All right, this is committed now. Normal output shows down hosts with the "[host down]" notation in one line. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans Fyodor (Nov 03)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Nov 15)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)