Idea: --show-ttl (like --reason)

[Jacek Wielemborek <d33tah () gmail com>]

List,

Ever since I discovered -oX -, I missed some of the data it displays in
Nmap's default output mode. Compare these two:

> $ nmap scanme.nmap.org -Pn -n -p 80
>
> Starting Nmap 6.45 ( http://nmap.org ) at 2014-07-09 12:01 CEST
> Nmap scan report for scanme.nmap.org (74.207.244.221)
> Host is up (0.19s latency).
> PORT STATE SERVICE
> 80/tcp open http
>
> Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds

And the XML output:

> $ nmap scanme.nmap.org -Pn -n -p 80 -oX -
> <?xml version="1.0"?>
> <!DOCTYPE nmaprun PUBLIC "-//IDN nmap.org//DTD Nmap XML 1.04//EN"
> "https://svn.nmap.org/nmap/docs/nmap.dtd";>
> <?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl"
> type="text/xsl"?>
> <!-- Nmap 6.45 scan initiated Wed Jul 9 12:01:04 2014 as: nmap -Pn -n -p
> 80 -oX - scanme.nmap.org -->
> <nmaprun scanner="nmap" args="nmap -Pn -n -p 80 -oX - scanme.nmap.org"
> start="1404900064" startstr="Wed Jul 9 12:01:04 2014" version="6.45"
> xmloutputversion="1.04">
> <scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
> <verbose level="0"/>
> <debugging level="0"/>
> <host starttime="1404900064" endtime="1404900065"><status state="up"
> reason="user-set" reason_ttl="0"/>
> <address addr="74.207.244.221" addrtype="ipv4"/>
> <hostnames>
> <hostname name="scanme.nmap.org" type="user"/>
> </hostnames>
> <ports><port protocol="tcp" portid="80"><state state="open"
> reason="syn-ack" reason_ttl="50"/><service name="http" method="table"
> conf="3"/></port>
> </ports>
> <times srtt="190339" rttvar="190339" to="951695"/>
> </host>
> <runstats><finished time="1404900065" timestr="Wed Jul 9 12:01:05 2014"
> elapsed="0.93" summary="Nmap done at Wed Jul 9 12:01:05 2014; 1 IP
> address (1 host up) scanned in 0.93 seconds" exit="success"/><hosts
> up="1" down="0" total="1"/>
> </runstats>
> </nmaprun>

While most of the data shown in the XML file can be inferred or enabled
by using various command-line switches such as -v or --reason, one piece
of information that is particularly difficult to extract is the
"reason_ttl" field, which could carry interesting information. The only
way I found to display it in the normal output mode is by enabling
debugging output, which makes it hard to read. Perhaps it would be
better to have an additional column in scan results, just like --reason,
which would just show the TTL to make it easier to note load balancers
and such? I'm thinking of something like this:

> $ nmap scanme.nmap.org -Pn -n -p 80 --reason --show-ttl
>
> Starting Nmap 6.45 ( http://nmap.org ) at 2014-07-09 12:01 CEST
> Nmap scan report for scanme.nmap.org (74.207.244.221)
> Host is up (0.19s latency).
> PORT STATE SERVICE REASON  TTL
> 80/tcp open http   syn-ack 50
>
> Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds

Also, shouldn't -v (or -vv or even higher) imply --reason and maybe
--show-ttl?

What do you think?

Jacek

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/