diff --git a/ndiff/docs/ndiff.xml b/ndiff/docs/ndiff.xml
index a3461037c..d3eec54df 100644
--- a/ndiff/docs/ndiff.xml
+++ b/ndiff/docs/ndiff.xml
@@ -107,6 +107,57 @@
+
+ Example
+
+
+ Let's use Ndiff to compare the output of two Nmap scans that use
+ different options. In the first, we'll do a fast scan
+ (), which scans fewer ports for speed. In the
+ second, we'll scan the larger default set of ports, and run an NSE
+ script.
+
+
+
+# nmap -F scanme.nmap.org -oX scanme-1.xml
+# nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
+$ ndiff -v scanme-1.xml scanme-2.xml
+-Nmap 4.90RC2 at 2009-07-16 13:29
++Nmap 4.90RC2 at 2009-07-16 13:33
+
+ scanme.nmap.org (64.13.134.52):
+ Host is up.
+-Not shown: 95 filtered ports
++Not shown: 993 filtered ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh
+ 25/tcp closed smtp
+ 53/tcp open domain
++70/tcp closed gopher
+ 80/tcp open http
++|_ html-title: Go ahead and ScanMe!
+ 113/tcp closed auth
++31337/tcp closed Elite
+
+
+
+ Changes are marked by a - or +
+ at the beginning of a line. We can see from the output that the scan
+ without the fast scan option found two
+ additional ports: 70 and 31337. The
+ html-title.nse script produced some additional
+ output for port 80. From the port counts, we may infer that the fast
+ scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while
+ the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed).
+
+
+
+ The (or ) option to
+ Ndiff made it show even the ports that didn't change, like 22 and
+ 25. Without , they would not have been shown.
+
+
+
Output
@@ -164,7 +215,7 @@
- Example
+ Periodic Diffs
Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a