Nmap Development mailing list archives

Re: Ndiff ready to be tested

From: Fyodor <fyodor () insecure org>
Date: Sat, 5 Jul 2008 01:23:44 -0700

On Thu, Jun 26, 2008 at 11:44:47PM -0400, Michael Pattrick wrote:

Hey everyone,

This week I have been coding Ndiff, a utility to compare nmap xml
files and produce a XML or YAML formatted difference file. and as of
now, Ndiff is at a state of reasonable usability!


I had a chance this evening to use it for a real task, which is one of
the best way to test these things.

The first thing I encountered was the lack of XML::Writer and XML:Twig
on my system.  So I tried a newer system, and that didn't have these
Perl modules either.  I was able to easily add the modules, but that
is a lot to ask of users.  Particularly since we've already lost most
of the Windows users by requiring Perl.  So it would be good for it to
work "out of the box" for as many of the remaining users as possible.

Anyway, it worked fine once I installed the modules.  I have been
testing various Nmap changes and how they affect performance and
accuracy.  So I repeated the same scan many times with different
options.  Comparing times is straightforward, but I used ndiff to test
accuracy.  It worked pretty well for this.  Though I did take some
notes for possible improvement.  Here is an representative segment of
Ndiff output.

81.174.236.66:
        Port 10000/tcp was open
        Port 10000/tcp was listening with an snet-sensor-mgmt server

It might be nice if you could list the rDNS hostname with the IP
address (if they differ, maybe just list the newer one, or maybe don't
list it in that case).  Many sysadmins recognize their machines by
hostname more than IP.

In these scans, I never used version detection.  So the lines like the
one above about snet-sensor-mgmt are of limited usefulness.  Nmap only
previously said snet-sensor-mgmt because that is what port 10,000 is
registered to in nmap-services.  Nmap XML has fields which tell how
Nmap guessed the service name.  If generated by the table, you might
want to just ignore it like you do "unknown" ports.  On the other
hand, it can be nice to remind the user what a port maps to.  Maybe
you could combine the port number and service name in one line,
something like:

  Port 10000/tcp was open (snet-sensor-mgmt)

or

  Port 49396/tcp is closed was open (snet-sensor-mgmt)

In these examples, Nmap only prints the service name next to the open
or open|filtered states, which is probably OK.  Or you could print it
in all states like:

  Port 49396/tcp is closed (snet-sensor-mgmt) was open (snet-sensor-mgmt)

It would be nice to just print the service by the port number, but
that doesn't handle the case well where the service changes due to
different version detection results.

Alowing multiple input files as an interesting idea.  But standard
diff doesn't let you do this, so I was a bit apprehensive about trying
it.  I eventually worked up the guts to do so, and it worked pretty
well.  One potential issue is that it was hard to tell what files were
being compared when I did a 3+-file diff.  Normal diff prints
filenames if there are any differences, and maybe it would be
beneficial for ndiff to do so too.

In an svn checkin you said "Ndiff now handles hosts with dynamic
addresses intelegently".  Can you describe how it does that?

I have mixed feelings about the new output options.  They are
definitely better than the ones which differed only in capitalization.
And it is nice that they are similar to Nmap's flags.  But on the
other hand, ndiff is a simpler program than Nmap and so simpler
options might benefit it.  For example, you could have options
specifying the output type (e.g. -x and -t) and then a separate option
(such as -o) to specify the filename if the user doesn't want it going
to stdout.  An issue with the current output flags is that you can't
generate XML to standard out (as far as I can tell).  You might want
to do this when you pipe the ndiff results to a program such an xml
grep utility.  Or higher level applications such as Zenmap might
prefer to read the stdout output rather than deal with a temporary
file.  If the -oN/-oX style options are kept, they should support a
'-' to mean output to standard output, just as Nmap does.  One nice
thing about -oN/-oX is that you can potentially output to both formats
at once (I haven't tested if this works).

Anyway, ndiff did the trick for me nicely!  I hope this feedback helps.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: Ndiff ready to be tested Fyodor (Jul 02)
- Re: Ndiff ready to be tested Fyodor (Jul 02)
  - Re: Ndiff ready to be tested Michael Pattrick (Jul 02)
  - Re: Ndiff ready to be tested Arturo 'Buanzo' Busleiman (Jul 03)
- <Possible follow-ups>
- Re: Ndiff ready to be tested Fyodor (Jul 05)
  - Re: Ndiff ready to be tested Fyodor (Jul 05)
  - Re: Ndiff ready to be tested Michael Pattrick (Jul 05)