Nmap Development mailing list archives
XML Output Proposal
From: Fyodor <fyodor () insecure org>
Date: Wed, 16 Aug 2000 00:38:38 -0700 (PDT)
Several people have sent useful input regarding the XML output format. In particular, Stou Sandalski <tangui () cell2000 net> and Fredrick Paul Eisele <phreed () netarx com> have sent some very good ideas. I started with those and create a sample XML output file that encompasses most of the current features of Nmap (and some future ones as well). I have appended the sample output. Sorry about the long line length. Please send mail to nmap-dev (or just me) if you have any suggestions for improvement. Remember that it can be very hard to change machine-readable output formats once they are defined. So we must take the opportunity to scrutinize it now. Also note that there has to be a balance between readability, output size, and extensibility. <?xml version="1.0" ?> # These pound comments will not appear in actual -oX output # Note this may not be internally consistant (eg options used vs report given) since I'm trying to show a diverse range of features # Also note that this may show some features that Nmap does not currently support (but I want to leave room for nmap enhancements). <!-- nmap (V. 2.54BETA3) scan initiated Tue Aug 15 21:49:21 2000 as: nmap -sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db --> # Info on How Nmap was run <nmaprun args="-sT -I -sR -O -p- -oM /tmp/smploutput.mlog localhost db" start="966401074" version="2.54BETA3"> </scaninfo type="connect" protocol="tcp" services="1-1024,1100,1400"> </scaninfo type="udp" protocol="udp" services="1-1024,1100,1400"> </scaninfo type="ipproto" protocol="ip" services="1-255"> </verbose level="1"> </debugging level="0"> # Info on hosts (each containing port info # note that the addrtype attributes you see will be optional and default to ipv4 <host status="up"> </address addr="192.168.0.24" addrtype="ipv4"> </address addr="00:C0:F0:48:3A:54" addrtype="mac"> </hostname name="amy.insecure.org" type="A"> </hostname name="mail.insecure.org" type="CNAME"> </hostname name="hopelessly.insecure.org" type="CNAME"> <os></osmatch name="Linux 2.1.122 - 2.2.16" accuracy="100%"> </osmatch name="FreeBSD 4.0-Release" accuracy="100%"> </osmatch name="Linux 2.1.84 - 2.1.121" accuracy="96%"> </portused state="open" proto="tcp" id="22"> # OS detection is based on ports it can find to test against </portused state="closed" proto="tcp" id="1"> </os> </tcpsequence index="2796433" class="random positive increments" difficulty="Worthy Challenge"> <port protocol="TCP" id="22" owner="root"> </state state="open" conf="5"> # Conf describes the confidence that the state is correct: 5 might mean "sure" while 2 could be a guess </service name="ssh" conf="3" method="table"> # Obtained via lookup from nmap-services (see "method"); confidence is 1-5 </service name="xlm4" conf="3" method="table"> # In case there are more than one service listed as using that port <banner>SSH-1.99-2.0.13 (non-commercial)</banner> </port> <port protocol="TCP" id="80" owner="nobody"> </state state="open" conf="5"> </service name="http" proto="http" conf="5" method="detection" version="Apache/1.3.12 (Unix) mod_perl/1.24"> # Detected via some future protocol/version detection system like the Nmap+V patch. </port> <port protocol="TCP" id="32773" owner="root"> </state state="open" conf="5"> </service name="ttdbserverd" proto="rpc" version="1-2" conf="5" method="detection"> # RPCgrind also counts as a "detection" method </port> <port protocol="UDP" id="31337"> </state state="filtered" conf="5"><filteredby></packet proto="ICMP" type="3" code="3" name="ICMP port unreachable" srcipaddr="10.3.7.4" ip_v="4"></filteredby> </service name="backorifice" conf="3" method="table"> </port> <traceroute type="udp" port="41702"> <hop distance="0"> # Info like below but regarding src machine </hop> <hop distance="1"> </address addr="10.4.1.7" addrtype="ipv4"> </hostname name="router.insecure.org" type="A"> </hop> <hop distance="4"> ... </hop> </traceroute> </timestamp end="966401076"> # Time we finished with this host </host> <host status="down"> </address addr="192.168.255.255" addrtype="ipv4"> <smurf responses="417"></smurf> # Smurf (subnet-directed broadcast) address. Not </smurf> because I might want to list the addresses someday </extraports state="filtered" proto="TCP" ids="1-20,400-700,854"> </host> # Statistics on Nmap run <runstats> </finished time="966401078" timeout=0> </hosts up="4" down="16" total="20"> <!-- Nmap run completed at Tue Aug 15 22:59:22 2000 -- 20 IP addresses (4 hosts up) scanned in 106 seconds --> </runstats> </nmaprun> --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- XML Output Proposal Fyodor (Aug 16)
- RE: XML Output Proposal Stou Sandalski (Aug 16)
- RE: XML Output Proposal Fyodor (Aug 16)
- RE: XML Output Proposal Stou Sandalski (Aug 16)