Nmap Development mailing list archives

Re: nmap XML output for "down" hosts on -F scans

From: David Fifield <david () bamsoftware com>
Date: Mon, 16 Nov 2009 00:38:05 -0700

On Tue, Nov 03, 2009 at 03:15:02AM -0800, Fyodor wrote:

On Wed, Oct 28, 2009 at 06:55:51PM -0600, David Fifield wrote:


Here's a patch for everybody's consideration. What it does is print out
a host record for down hosts before they are removed from the internal
host lists. The output for down hosts (in normal, grepable, and XML
forms) will come all in a block at the top of a host group, not
interleaved with up hosts as with ping scan. The output always goes to
XML and grepable formats, but requires -v to go to normal output.


Hi David.  This is an interesting idea.  I tested your simple patch,
and it seems to work.  Here are my notes:

o In interactive mode, I see a bunch of lines like

Nmap scan report for 64.13.134.93
Host is down.
Nmap scan report for 64.13.134.95
Host is down.
Nmap scan report for 64.13.134.96
Host is down.

This is a similar issue to the one we dealt with for -sL where it was
using two lines per skipped host.  In that case we removed the "Host
not scanned" lines, but I'm not sure what we should do here.  Leaving
two lines per down host might be OK, though I'm tempted to add the
information to the scan report line like:

Nmap scan report for 64.13.134.95 [host down]
Nmap scan report for 64.13.134.96 [host down]

Up hosts could still be handled as they currently are:

Nmap scan report for gw.cust-cedera.svcolo.com (64.13.134.81)
Host is up (0.26s latency).

Requiring verbose mode, as you do, sounds reasonable for
normal/interactive output.

o In normal output (-oN), I get:
Nmap scan report for 64.13.134.158
Nmap scan report for 64.13.134.159
Nmap scan report for 64.13.134.160
Nmap scan report for 64.13.134.161

Here we only have one line per host, but it doesn't mention the host
state.  I'd rather this be handled the same way as interactive output.

o XML output

A down host entry looks like:

<host><status state="down" reason="no-response"/>
<address addr="64.13.134.207" addrtype="ipv4" />
</host>

That is about 100 bytes, so we could have 10K down hosts per megabyte
of log file size.  So a class B address space would take abotu 7 MB if
all the hosts are down.  That sounds reasonable.  I think your idea of
writing these to the XML files in all cases (e.g. without requiring
-v) is a good one.  If people complain about space usage when they
scan sparse networks, we could always add an option to omit those.

o The grepable output looks like:
Host: 64.13.134.77 () Status: Down
Host: 64.13.134.78 () Status: Down
Host: 64.13.134.79 () Status: Down

That is fine.

o As you noted, the down hosts are presented in the "wrong" order.  I
don't think that is a big problem.

So, overall I think it is a good patch.  But befor it is applied I
think normal mode should be fixed to show the down status and we
should figure out what to do about interactive mode (one or two
lines).


All right, this is committed now. Normal output shows down hosts with
the "[host down]" notation in one line.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
- Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
  - Re: nmap XML output for "down" hosts on -F scans David Fifield (Oct 28)
    - Re: nmap XML output for "down" hosts on -F scans Andrew Smith (Oct 28)
    - Re: nmap XML output for "down" hosts on -F scans Fyodor (Nov 03)
    - Re: nmap XML output for "down" hosts on -F scans David Fifield (Nov 15)