Nmap Development mailing list archives
Re: [Patch] Showing TTL in default output
From: Fyodor <fyodor () nmap org>
Date: Thu, 14 Aug 2014 13:42:54 -0700
On Wed, Jul 30, 2014 at 12:47 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
I feel that the reason we made it "--reason -v" instead of just making it default for "--reason" is that some users might not be interested in TTL information.
That's a good point, but we could also hypothesize about users who want the TTL information, but don't want all the other stuff which comes with -v. But the users I'm most worried about are the ones who would like the TTL info, but might never know about or see it if it requires two non-default options to enable. I see that as a bigger problem than the case that users might see this short output and somehow be annoyed by the information, even after they have specified --reason or -vv or -d (which enable --reason).
They might be used to seeing things from --reason and find the new output (i.e. with TTL) confusing.
It is a pretty minor change in the Nmap output as a whole, so I think they can handle it. And our policy is to try and find the best output at the current time and we're not afraid to change things. The exception is XML output, which is meant to stay compatible and is what folks reading Nmap output programmatically should be using. Nmap is 2 weeks away from it's 17th birthday, and it would never have gotten this far if we were afraid to make changes. However, by saying "--reason -v" they say that they want a "more verbose
reason"
We Nmap developers may design our command lines with skill and care and subtlety, but I'm afraid you may be overestimating how many normal Nmap users do that :). So I'd rather err on the side of including this extra bit of short information, particularly considering that they will have to specify --reason, -vv, or -d to get it anyway. As for the different way of showing output (TTL in the reason column), I
don't see how it would save horizontal space. The TTL column makes the table wider by 4 characters (always), but the "syn-ack (ttl 52)" method would use more characters in most cases.
Yeah, I think the combined format probably is slightly longer (the longest lines are two characters longer in my previous scanme.nmap.org example). However, I think it is easier to read that way. Including the TTL on its own line separates it from the reason and also gives this column of digits too much prominence, placing them at the same level as other fields like the service name and whether the port is open. Putting the TTL in a parenthetical after the reason (like "syn-ack (ttl 53)") puts the information more in context. And actually, maybe we don't really need the parenthesis. If we just do "syn-ack ttl 53" it will be the same length as in the separate column mode. So it would look like: PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 52 25/tcp filtered smtp no-response 80/tcp open http syn-ack ttl 52 135/tcp filtered msrpc no-response 139/tcp filtered netbios-ssn no-response 445/tcp filtered microsoft-ds no-response 9929/tcp open nping-echo syn-ack ttl 52 So the format above would be my suggestion. Also, I think that the reason we need to have a TTL column is to be able to
see (at a single glance) if any TTLs are different. When in a column form, the numbers are almost instantly interpreted by a human (or alien, if they have started using Nmap :D) and they can tell if there is any anomaly (maybe one of the TTLs is off by one: possibly implying a firewall, etc).
That is a good reason for the column mode, but I think they will be roughly in a column with the combined output (as above) too. If there are different types of responses (syn-ack, reset, etc.) the column numbers won't match up exactly, but I think it will be close enough to read. And Nmap is better than humans at detecting subtle differences like this anyway, so this is sort of where the roll-up stuff you mention comes in. I will be looking into the roll-up stuff in a short while; and I do agree
that it would give a lot of interesting information. I personally do not mind added complexity as long as it provides more useful information.
Yeah, that could be interesting. Cheers, Fyodor _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Showing TTL in default output Jay Bosamiya (Jul 16)
- Re: [Patch] Showing TTL in default output Daniel Miller (Jul 16)
- Re: [Patch] Showing TTL in default output Daniel Miller (Jul 18)
- Re: [Patch] Showing TTL in default output Fyodor (Jul 28)
- Re: [Patch] Showing TTL in default output Otto Airamo (Jul 29)
- Re: [Patch] Showing TTL in default output Jay Bosamiya (Jul 30)
- Re: [Patch] Showing TTL in default output Daniel Miller (Jul 30)
- Re: [Patch] Showing TTL in default output Otto Airamo (Aug 03)
- Re: [Patch] Showing TTL in default output Daniel Miller (Jul 18)
- Re: [Patch] Showing TTL in default output Daniel Miller (Jul 16)
- Re: [Patch] Showing TTL in default output Jay Bosamiya (Jul 30)
- Re: [Patch] Showing TTL in default output Fyodor (Aug 14)
- Re: [Patch] Showing TTL in default output Jay Bosamiya (Aug 15)