diff --git a/ndiff/docs/ndiff.xml b/ndiff/docs/ndiff.xml
index f389f0fbd..f738d4e0d 100644
--- a/ndiff/docs/ndiff.xml
+++ b/ndiff/docs/ndiff.xml
@@ -107,6 +107,75 @@
+
+ Output
+
+
+ There are two output modes: text and XML. Text output is the
+ default, and is also selected with the
+ option. Text output resembles a unified diff of Nmap's normal
+ terminal output. Each line is preceded by a character indicating
+ whether and how it changed. - means that the line
+ was in the first scan but not in the second; +
+ means it was in the second but not the first. A line that changed is
+ represented by a - line followed by a
+ + line. Lines that did not change are preceded by
+ a blank space.
+
+
+
+ is an example of text
+ output.
+
+
+
+ Ndiff text output
+
+
+
+
+
+
+ Example
+
+
+ Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a
+ network daily and get email reports of the state of the network and
+ changes since the previous scan.
+ shows the script that ties it
+ together.
+
+
+
+ Scanning a network periodically with Ndiff and cron
+
+#!/bin/sh
+TARGETS="targets"
+OPTIONS="-v -T4 -F -sV"
+date=`date +%F`
+cd /root/scans
+nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
+if [ -e scan-prev.xml ]; then
+ ndiff scan-prev.xml scan-$date.xml > diff-$date
+ echo "*** NDIFF RESULTS ***"
+ cat diff-$date
+ echo
+fi
+echo "*** NMAP RESULTS ***"
+cat scan-$date.nmap
+ln -sf scan-$date.xml scan-prev.xml
+
+
+
+
+ If the script is saved as /root/scan-ndiff.sh,
+ add the following line to root's crontab:
+
+0 12 * * * /root/scan-ndiff.sh
+
+
+
+
Bugs