Re: nmap XML output for "down" hosts on -F scans

[David Fifield <david () bamsoftware com>]

On Thu, Oct 29, 2009 at 08:33:59AM +0800, Andrew Smith wrote:
> I'm currently working on a monitoring project using nmap as the  
> scanning/discovery engine.
> The XML output is being parsed and updated on a MySQL database with a  
> PHP front end to display/filter the results.
>
> Running nmap with -sP provides output of both hosts that are up and  
> down, for example:
>
> nmap -sP 192.168.2.0/24 -oX nmap-sP-192.168.2.0-24.xml
>
> ....
> <host><status state="down" reason="host-unreach"/>
> <address addr="192.168.2.6" addrtype="ipv4" />
> </host>
> ....
>
> However, if I run nmap as:
>
> nmap -F --script smb-os-discovery 192.168.2.0/24 -oX  
> nmap-F-smb-os-discovery-192.168.2.0-24.xml
>
> then I only get results for hosts that are "up".
>
> I have tried using debug and verbosity (-d9 -vvv) but this doesn't  
> provide any information about "down" hosts.
>
> I'm working around this at the moment by running a -sP first pass  
> followed by a -F second pass but it would be more efficient (and reduce  
> the load on the system) by being able to get the status of all hosts in  
> the -F pass.

This is the same problem that was reported at
http://seclists.org/nmap-dev/2009/q3/1081. Unfortunately there's
currently no way to get down hosts in the output when a scan includes a
port scan, script scan, or traceroute. The reason is that Nmap removes
the down hosts from its internal data structures before doing the
further scanning and output.

Depending on how much control you have over the parsing, you may be able
to work around the problem by doing the first pass with -sL rather than
-sP. That will add an entry for every host, with a state of "unknown".
You can then subtract the up hosts from the second pass to get the set
of down hosts.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/