Nmap Development mailing list archives

XML Output Proposal


From: Fyodor <fyodor () insecure org>
Date: Wed, 16 Aug 2000 00:38:38 -0700 (PDT)


Several people have sent useful input regarding the XML output format.  In
particular,  Stou Sandalski <tangui () cell2000 net> and Fredrick Paul
Eisele <phreed () netarx com> have sent some very good ideas.  I started with
those and create a sample XML output file that encompasses most of the
current features of Nmap (and some future ones as well).

I have appended the sample output.  Sorry about the long line
length.  Please send mail to nmap-dev (or just me) if you have any
suggestions for improvement.  Remember that it can be very hard to change
machine-readable output formats once they are defined.  So we must take
the opportunity to scrutinize it now.  Also note that there has to be a
balance between readability, output size, and extensibility.

<?xml version="1.0" ?>
# These pound comments will not appear in actual -oX output
# Note this may not be internally consistant (eg options used vs report given) since I'm trying to show a diverse range 
of features
# Also note that this may show some features that Nmap does not currently support (but I want to leave room for nmap 
enhancements).
<!-- nmap (V. 2.54BETA3) scan initiated Tue Aug 15 21:49:21 2000 as: nmap -sT -I -sR -O -p- -oM /tmp/smploutput.mlog 
localhost db -->
# Info on How Nmap was run
<nmaprun args="-sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db" start="966401074" version="2.54BETA3">
</scaninfo type="connect" protocol="tcp" services="1-1024,1100,1400">
</scaninfo type="udp" protocol="udp" services="1-1024,1100,1400">
</scaninfo type="ipproto" protocol="ip" services="1-255">
</verbose level="1">
</debugging level="0">

# Info on hosts (each containing port info
# note that the addrtype attributes you see will be optional and default to ipv4
<host status="up">
</address addr="192.168.0.24" addrtype="ipv4">
</address addr="00:C0:F0:48:3A:54" addrtype="mac">
</hostname name="amy.insecure.org" type="A">
</hostname name="mail.insecure.org" type="CNAME">
</hostname name="hopelessly.insecure.org" type="CNAME">
<os></osmatch name="Linux 2.1.122 - 2.2.16" accuracy="100%">
    </osmatch name="FreeBSD 4.0-Release" accuracy="100%">
    </osmatch name="Linux 2.1.84 - 2.1.121" accuracy="96%">
    </portused state="open" proto="tcp" id="22">  # OS detection is based on ports it can find to test against
    </portused state="closed" proto="tcp" id="1">
</os>
</tcpsequence index="2796433" class="random positive increments" difficulty="Worthy Challenge">
<port protocol="TCP" id="22" owner="root">
   </state state="open" conf="5"> # Conf describes the confidence that the state is correct: 5 might mean "sure" while 
2 could be a guess
   </service name="ssh" conf="3" method="table"> # Obtained via lookup from nmap-services (see "method"); confidence is 
1-5
   </service name="xlm4" conf="3" method="table"> # In case there are more than one service listed as using that port
   <banner>SSH-1.99-2.0.13 (non-commercial)</banner>
</port>
<port protocol="TCP" id="80" owner="nobody">
   </state state="open" conf="5">
   </service name="http" proto="http" conf="5" method="detection" version="Apache/1.3.12 (Unix) mod_perl/1.24"> # 
Detected via some future protocol/version detection system like the Nmap+V patch.
</port>
<port protocol="TCP" id="32773" owner="root">
   </state state="open" conf="5">
   </service name="ttdbserverd" proto="rpc" version="1-2" conf="5" method="detection"> # RPCgrind also counts as a 
"detection" method
</port>
<port protocol="UDP" id="31337">
   </state state="filtered" conf="5"><filteredby></packet proto="ICMP" type="3" code="3" name="ICMP port unreachable" 
srcipaddr="10.3.7.4" ip_v="4"></filteredby>
   </service name="backorifice" conf="3" method="table">
</port>
<traceroute type="udp" port="41702">
  <hop distance="0"> # Info like below but regarding src machine </hop>
  <hop distance="1">
     </address addr="10.4.1.7" addrtype="ipv4">
     </hostname name="router.insecure.org" type="A">
  </hop>
  <hop distance="4"> ... </hop>
</traceroute>
</timestamp end="966401076"> # Time we finished with this host
</host>
<host status="down">
</address addr="192.168.255.255" addrtype="ipv4">
<smurf responses="417"></smurf>  # Smurf (subnet-directed broadcast) address.  Not </smurf> because I might want to 
list the addresses someday
</extraports state="filtered" proto="TCP" ids="1-20,400-700,854">
</host>

# Statistics on Nmap run
<runstats>
</finished time="966401078" timeout=0>
</hosts up="4" down="16" total="20">
<!-- Nmap run completed at Tue Aug 15 22:59:22 2000 -- 20 IP addresses (4 hosts up) scanned in 106 seconds -->
</runstats>
</nmaprun>



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



Current thread: