Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RFC] Ndiff

From: Fyodor <fyodor () insecure org>
Date: Wed, 2 Jul 2008 23:09:43 -0700
On Sun, Jun 15, 2008 at 11:10:32PM -0600, David Fifield wrote:

On Sun, Jun 15, 2008 at 10:14:18PM -0500, Thomas Buchanan wrote:

<ports><extraports state="filtered" count="65509">
<extrareasons reason="no-responses" count="65509"/>
</extraports>
<extraports state="closed" count="26">
<extrareasons reason="resets" count="26"/>
</extraports>
</ports>
...
There's no way to tell from this scan if port 53, for example, is one of
the closed ports, or one of the filtered.  So in that case, a diff tool
wouldn't be able to specify.  But where it is possible, I think it's
useful information.


That's a good point. It should be possible to tell the state of every
single scanned port from the XML output in all cases. When there's more
than one extraports element, you can't. I think Nmap should just bite
the bullet in this case and list all the ports in that state, like in
the services attribute of the scaninfo element.


I agree that it "should" theoretically be possible.  But the current
setup is a compromise between the ideal of showing the state and
reason for all the ports, and the practical limitation in the size of
results people want to deal with.  It isn't uncommon to find hosts
which have 1,000 closed ports (usually the non-open ports < 1024) and
64,000 filtered ports.  And I'd guess that in 99% of the cases people
don't really care which ports were closed versus filtered.  Imagine a
worst case scenario with 30K filtered ports, 30K closed ports, and
different reasons for each.

I suppose the XML could list the port numbers in the same format as
scaninfo does.  Though people then might expect the same in the
extrareasons attribute.

So I guess what I'm trying to say is that I don't consider it
essential to list the port numbers in extraports.  After all, I have
trouble thinking of many non-contrived practical uses.  But I'm not
opposed to it either if good efforts are made to limit the size, such
as using hyphens when there are more than a couple consecutive port
number, and maybe only including the list if there is more than one
extraports.  If someone wants to implement this, its fine with me.  I
do agree that it is a little goading to not know which ports are
which, despite lack of reasons to usually do so :).

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: