Inconsistency in nmap XML output

[David Schmalz <dvs () zurich ibm com>]

Hi everyone,

I'd like to report a minor inconsistency in the nmap XML output (tested
with versions 3.70 and 3.75). When performing an 'ping' scan, all the
hosts that are down are explicitely enumerated in the resulting XML
file. However, when I launch a full port and OS fingerprinting scan and
all the scanned hosts are actually down, no enumeration is included in
the file. This obviously prevents to define a consistent parsing
procedure.

Below test cases illustrate the reported problem.

1) ping scan

> nmap -n -sP -oX out.xml 192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-01 13:38
CET
Note: Host seems down. If it is really up, but blocking our ping probes,
try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 2.147 seconds


<?xml version="1.0" ?>
<!-- nmap 3.75 scan initiated Mon Nov  1 13:38:16 2004 as: nmap -n -sP
-oX out.xml 192.168.1.1 -->
<nmaprun scanner="nmap" args="nmap -n -sP -oX out.xml 192.168.1.1"
start="1099312696" version="3.75" xmloutputversion="1.01">
<verbose level="0" />
<debugging level="0" />
<host><status state="down" />
<address addr="192.168.1.1" addrtype="ipv4" />
</host>
<runstats><finished time="1099312698" /><hosts up="0" down="1"
total="1"/>
<!-- Nmap run completed at Mon Nov  1 13:38:18 2004; 1 IP address (0
hosts up) scanned in 2.147 seconds -->
</runstats></nmaprun>

---------------------

2) port scan

> nmap -T Normal -v -O -sS -sU -p U:137,161,T:22,80 -oX out.xml
192.168.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-01 13:40
CET
Note: Host seems down. If it is really up, but blocking our ping probes,
try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 2.295 seconds


<?xml version="1.0" ?>
<!-- nmap 3.75 scan initiated Mon Nov  1 13:40:38 2004 as: nmap -T
Normal -v -O -sS -sU -p U:137,161,T:22,80 -oX out.xml 192.168.1.1 -->
<nmaprun scanner="nmap" args="nmap -T Normal -v -O -sS -sU -p
U:137,161,T:22,80 -oX out.xml 192.168.1.1" start="1099312838"
version="3.75" xmloutputversion="1.01">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22,80" />
<scaninfo type="udp" protocol="udp" numservices="1" services="137,161"
/>
<verbose level="1" />
<debugging level="0" />
<runstats><finished time="1099312840" /><hosts up="0" down="1" total="1"
/>
<!-- Nmap run completed at Mon Nov  1 13:40:40 2004; 1 IP address (0
hosts up) scanned in 2.295 seconds -->
</runstats></nmaprun>





---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org