Re: nmap XML output for "down" hosts on -F scans

[Andrew Smith <eurodrew555 () yahoo com au>]

On 29/10/09 08:55, David Fifield wrote:
> On Wed, Oct 28, 2009 at 06:43:55PM -0600, David Fifield wrote:
>    
> > On Thu, Oct 29, 2009 at 08:33:59AM +0800, Andrew Smith wrote:
> >      
> > > I'm currently working on a monitoring project using nmap as the
> > > scanning/discovery engine.
> > > The XML output is being parsed and updated on a MySQL database with a
> > > PHP front end to display/filter the results.
> > >
> > > Running nmap with -sP provides output of both hosts that are up and
> > > down, for example:
> > >
> > > nmap -sP 192.168.2.0/24 -oX nmap-sP-192.168.2.0-24.xml
> > >
> > > ....
> > > <host><status state="down" reason="host-unreach"/>
> > > <address addr="192.168.2.6" addrtype="ipv4" />
> > > </host>
> > > ....
> > >
> > > However, if I run nmap as:
> > >
> > > nmap -F --script smb-os-discovery 192.168.2.0/24 -oX
> > > nmap-F-smb-os-discovery-192.168.2.0-24.xml
> > >
> > > then I only get results for hosts that are "up".
> > >
> > > I have tried using debug and verbosity (-d9 -vvv) but this doesn't
> > > provide any information about "down" hosts.
> > >
> > > I'm working around this at the moment by running a -sP first pass
> > > followed by a -F second pass but it would be more efficient (and reduce
> > > the load on the system) by being able to get the status of all hosts in
> > > the -F pass.
> > >        
> > This is the same problem that was reported at
> > http://seclists.org/nmap-dev/2009/q3/1081. Unfortunately there's
> > currently no way to get down hosts in the output when a scan includes a
> > port scan, script scan, or traceroute. The reason is that Nmap removes
> > the down hosts from its internal data structures before doing the
> > further scanning and output.
> >
> > Depending on how much control you have over the parsing, you may be able
> > to work around the problem by doing the first pass with -sL rather than
> > -sP. That will add an entry for every host, with a state of "unknown".
> > You can then subtract the up hosts from the second pass to get the set
> > of down hosts.
> >      
> Here's a patch for everybody's consideration. What it does is print out
> a host record for down hosts before they are removed from the internal
> host lists. The output for down hosts (in normal, grepable, and XML
> forms) will come all in a block at the top of a host group, not
> interleaved with up hosts as with ping scan. The output always goes to
> XML and grepable formats, but requires -v to go to normal output.
>
> Index: nmap.cc
> ===================================================================
> --- nmap.cc     (revision 15952)
> +++ nmap.cc     (working copy)
> @@ -1747,6 +1747,9 @@
>         /* I used to check that !currenths->weird_responses, but in some
>          rare cases, such IPs CAN be port successfully scanned and even connected to */
>         if (!(currenths->flags&  HOST_UP)) {
> +       log_write(LOG_XML, "<host>");
> +       write_host_header(currenths);
> +       log_write(LOG_XML, "</host>\n");
>         delete currenths;
>         o.numhosts_scanned++;
>         continue;
>
> David Fifield
>    

Excellent, this is exactly what I was after - I can now scan and parse 
the XML and get the state of the network in one pass.

It would be great if this could be committed to svn.

Many thanks,
Andrew
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/