Re: Inconsistency in nmap XML output

[Fyodor <fyodor () insecure org>]

On Mon, Nov 01, 2004 at 01:53:21PM +0100, David Schmalz wrote:
> Hi everyone,
>
> I'd like to report a minor inconsistency in the nmap XML output (tested
> with versions 3.70 and 3.75). When performing an 'ping' scan, all the
> hosts that are down are explicitely enumerated in the resulting XML
> file. However, when I launch a full port and OS fingerprinting scan and
> all the scanned hosts are actually down, no enumeration is included in
> the file. This obviously prevents to define a consistent parsing
> procedure.

I have mixed feelings about printing the down hosts.  It is done for a
ping scan, since the whole point of that scan type is to determine
what systems are up or down.  For a more intrusive scan, I suspect
most apps don't care about the down hosts.  Nmap doesn't print them on
its normal output unless verbosity is requested.

Also, to print all the hosts in the right order, Nmap would have to
save down hosts around until it is finished scanning the up hosts.
That would be a bit of a pain to implement.  Also, it oculd
substantially enlarge the output.  For example, the guy I just replied
to was scanning 24 million addresses with most of them down.  A down
host takes about 85 bytes in XML.  So the logs would be an extra 2GB
if 23.5M of the hosts are down.

Maybe the down hosts should only be printed (in ping or port scan
mode) with -v, as they are in normal output.  If I hear sufficient
demand from people, I'll implement that (like I said, it is a bit of a
pain). 

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org