Nmap Development mailing list archives
Re: [RFC] Ndiff
From: Fyodor <fyodor () insecure org>
Date: Wed, 2 Jul 2008 23:09:43 -0700
On Sun, Jun 15, 2008 at 11:10:32PM -0600, David Fifield wrote:
On Sun, Jun 15, 2008 at 10:14:18PM -0500, Thomas Buchanan wrote:<ports><extraports state="filtered" count="65509"> <extrareasons reason="no-responses" count="65509"/> </extraports> <extraports state="closed" count="26"> <extrareasons reason="resets" count="26"/> </extraports> </ports> ... There's no way to tell from this scan if port 53, for example, is one of the closed ports, or one of the filtered. So in that case, a diff tool wouldn't be able to specify. But where it is possible, I think it's useful information.That's a good point. It should be possible to tell the state of every single scanned port from the XML output in all cases. When there's more than one extraports element, you can't. I think Nmap should just bite the bullet in this case and list all the ports in that state, like in the services attribute of the scaninfo element.
I agree that it "should" theoretically be possible. But the current setup is a compromise between the ideal of showing the state and reason for all the ports, and the practical limitation in the size of results people want to deal with. It isn't uncommon to find hosts which have 1,000 closed ports (usually the non-open ports < 1024) and 64,000 filtered ports. And I'd guess that in 99% of the cases people don't really care which ports were closed versus filtered. Imagine a worst case scenario with 30K filtered ports, 30K closed ports, and different reasons for each. I suppose the XML could list the port numbers in the same format as scaninfo does. Though people then might expect the same in the extrareasons attribute. So I guess what I'm trying to say is that I don't consider it essential to list the port numbers in extraports. After all, I have trouble thinking of many non-contrived practical uses. But I'm not opposed to it either if good efforts are made to limit the size, such as using hyphens when there are more than a couple consecutive port number, and maybe only including the list if there is more than one extraports. If someone wants to implement this, its fine with me. I do agree that it is a little goading to not know which ports are which, despite lack of reasons to usually do so :). Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [RFC] Ndiff Fyodor (Jul 02)