PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-01 12:29:03 +00:00
Code Issues Projects Releases Wiki Activity
Files
111146a71763b4e677cba2bc87d7bc3f6ecc9cd2
nmap/ndiff/README
david c4b27a31b4 Don't ignore host state changes when the change is to the state "unknown". This 
happens when a host was scanned in the A scan but wasn't scanned in the B scan.
I previously had it ignore such changes using the logic that the diff should be
like scan aggregation: no new information means no state change. But I think
it's more useful to see those changes in which hosts were scanned.

This is analogous to r10263, which did the same thing for port state changes.
2009-01-20 21:02:15 +00:00

85 lines
3.1 KiB
Plaintext
Raw Blame History

Ndiff
Ndiff is a tool to aid in the comparison of Nmap scans. Specifically, it
takes two Nmap XML output files and prints the differences between them:
hosts coming up and down, ports becoming open or closed, and things like
that.
To install, run (as root)
python setup.py install
It's also possible to run the program from within the distribution
without installing it.
Use "ndiff --help" for usage instructions. Output can be in
human-readable text format ("ndiff --text") or machine-readable XML
format ("ndiff --xml").
Here is a sample of the text output:
$ ./ndiff test-scans/random-1.xml test-scans/random-2.xml
Thu Sep 11 11:39:32 2008 -> Tue Sep 16 13:59:22 2008
cuvtdnray-504.example.com (10.214.143.33):
Host is up, was unknown.
Add ipv4 address 10.214.143.33.
Add hostname cuvtdnray-504.example.com.
3389/tcp is open.
999 tcp ports are filtered.
scnqxez-842.example.com (10.189.71.117):
Remove hostname scnqxez-842.example.com.
10.226.19.80:
21/tcp is open, was filtered.
23/tcp is open, was filtered.
80/tcp is open, was filtered.
8701/tcp is filtered, was open.
ywnleu-108.example.com (10.242.160.155):
Host is up, was unknown.
Add ipv4 address 10.242.160.155.
Add hostname ywnleu-108.example.com.
1000 tcp ports are filtered.
fiyrownc-307.example.com (10.65.53.252):
Host is unknown, was up.
Remove ipv4 address 10.65.53.252.
Remove hostname fiyrownc-307.example.com.
8089/tcp is unknown, was open.
999 tcp ports changed state from filtered to unknown.
Here is an abbreviated sample of the XML output:
$ ./ndiff --xml test-scans/random-1.xml test-scans/random-2.xml
<?xml version="1.0" encoding="UTF-8"?>
<nmapdiff>
<scandiff a-start="1221154772" b-start="1221595162">
<host>
<address addr="10.214.143.33" addrtype="ipv4"/>
<hostname name="cuvtdnray-504.example.com"/>
<host-state-change a-state="unknown" b-state="up"/>
<host-address-add>
<address addr="10.214.143.33" addrtype="ipv4"/>
</host-address-add>
<host-hostname-add>
<hostname name="cuvtdnray-504.example.com"/>
</host-hostname-add>
<port-state-change a-state="unknown" b-state="filtered" portid="1" protocol="tcp"/>
<port-state-change a-state="unknown" b-state="filtered" portid="3" protocol="tcp"/>
<port-state-change a-state="unknown" b-state="filtered" portid="4" protocol="tcp"/>
</host>
<host>
<address addr="10.189.71.117" addrtype="ipv4"/>
<hostname name="scnqxez-842.example.com"/>
<host-hostname-remove>
<hostname name="scnqxez-842.example.com"/>
</host-hostname-remove>
</host>
</scandiff>
</nmapdiff>
Ndiff started as a project by Michael Pattrick <mpattrick@rhinovirus.org>
during the 2008 Google Summer of Code. Michael designed the program and
led the discussion of its output formats. He wrote versions of the
program in Perl and C++, but the summer ended shortly after it was
decided to rewrite the program in Python for the sake of Windows
compatibility. This Python version is written by David Fifield
<david@bamsoftware.com>.
Ndiff web site: http://nmap.org/ndiff/
Reference in New Issue View Git Blame Copy Permalink