Nmap Development mailing list archives
Re: Ndiff ready to be tested
From: Fyodor <fyodor () insecure org>
Date: Sat, 5 Jul 2008 01:23:44 -0700
On Thu, Jun 26, 2008 at 11:44:47PM -0400, Michael Pattrick wrote:
Hey everyone, This week I have been coding Ndiff, a utility to compare nmap xml files and produce a XML or YAML formatted difference file. and as of now, Ndiff is at a state of reasonable usability!
I had a chance this evening to use it for a real task, which is one of the best way to test these things. The first thing I encountered was the lack of XML::Writer and XML:Twig on my system. So I tried a newer system, and that didn't have these Perl modules either. I was able to easily add the modules, but that is a lot to ask of users. Particularly since we've already lost most of the Windows users by requiring Perl. So it would be good for it to work "out of the box" for as many of the remaining users as possible. Anyway, it worked fine once I installed the modules. I have been testing various Nmap changes and how they affect performance and accuracy. So I repeated the same scan many times with different options. Comparing times is straightforward, but I used ndiff to test accuracy. It worked pretty well for this. Though I did take some notes for possible improvement. Here is an representative segment of Ndiff output. 81.174.236.66: Port 10000/tcp was open Port 10000/tcp was listening with an snet-sensor-mgmt server It might be nice if you could list the rDNS hostname with the IP address (if they differ, maybe just list the newer one, or maybe don't list it in that case). Many sysadmins recognize their machines by hostname more than IP. In these scans, I never used version detection. So the lines like the one above about snet-sensor-mgmt are of limited usefulness. Nmap only previously said snet-sensor-mgmt because that is what port 10,000 is registered to in nmap-services. Nmap XML has fields which tell how Nmap guessed the service name. If generated by the table, you might want to just ignore it like you do "unknown" ports. On the other hand, it can be nice to remind the user what a port maps to. Maybe you could combine the port number and service name in one line, something like: Port 10000/tcp was open (snet-sensor-mgmt) or Port 49396/tcp is closed was open (snet-sensor-mgmt) In these examples, Nmap only prints the service name next to the open or open|filtered states, which is probably OK. Or you could print it in all states like: Port 49396/tcp is closed (snet-sensor-mgmt) was open (snet-sensor-mgmt) It would be nice to just print the service by the port number, but that doesn't handle the case well where the service changes due to different version detection results. Alowing multiple input files as an interesting idea. But standard diff doesn't let you do this, so I was a bit apprehensive about trying it. I eventually worked up the guts to do so, and it worked pretty well. One potential issue is that it was hard to tell what files were being compared when I did a 3+-file diff. Normal diff prints filenames if there are any differences, and maybe it would be beneficial for ndiff to do so too. In an svn checkin you said "Ndiff now handles hosts with dynamic addresses intelegently". Can you describe how it does that? I have mixed feelings about the new output options. They are definitely better than the ones which differed only in capitalization. And it is nice that they are similar to Nmap's flags. But on the other hand, ndiff is a simpler program than Nmap and so simpler options might benefit it. For example, you could have options specifying the output type (e.g. -x and -t) and then a separate option (such as -o) to specify the filename if the user doesn't want it going to stdout. An issue with the current output flags is that you can't generate XML to standard out (as far as I can tell). You might want to do this when you pipe the ndiff results to a program such an xml grep utility. Or higher level applications such as Zenmap might prefer to read the stdout output rather than deal with a temporary file. If the -oN/-oX style options are kept, they should support a '-' to mean output to standard output, just as Nmap does. One nice thing about -oN/-oX is that you can potentially output to both formats at once (I haven't tested if this works). Anyway, ndiff did the trick for me nicely! I hope this feedback helps. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Ndiff ready to be tested Fyodor (Jul 02)
- Re: Ndiff ready to be tested Fyodor (Jul 02)
- Re: Ndiff ready to be tested Michael Pattrick (Jul 02)
- Re: Ndiff ready to be tested Arturo 'Buanzo' Busleiman (Jul 03)
- <Possible follow-ups>
- Re: Ndiff ready to be tested Fyodor (Jul 05)
- Re: Ndiff ready to be tested Fyodor (Jul 05)
- Re: Ndiff ready to be tested Michael Pattrick (Jul 05)
- Re: Ndiff ready to be tested Fyodor (Jul 02)