1NDIFF(1)                         User Commands                        NDIFF(1)
2
3
4

NAME

6       ndiff - Utility to compare the results of Nmap scans
7

SYNOPSIS

9       ndiff [options] {a.xml} {b.xml}
10

DESCRIPTION

12       Ndiff is a tool to aid in the comparison of Nmap scans. It takes two
13       Nmap XML output files and prints the differences between them. The
14       differences observed are:
15
16       ·   Host states (e.g. up to down)
17
18       ·   Port states (e.g. open to closed)
19
20       ·   Service versions (from -sV)
21
22       ·   OS matches (from -O)
23
24       ·   Script output
25
26
27       Ndiff, like the standard diff utility, compares two scans at a time.
28

OPTIONS SUMMARY

30       -h, --help
31           Show a help message and exit.
32
33       -v, --verbose
34           Include all hosts and ports in the output, not only those that have
35           changed.
36
37       --text
38           Write output in human-readable text format.
39
40       --xml
41           Write output in machine-readable XML format. The document structure
42           is defined in the file ndiff.dtd included in the distribution.
43
44       Any other arguments are taken to be the names of Nmap XML output files.
45       There must be exactly two.
46

EXAMPLE

48       Let´s use Ndiff to compare the output of two Nmap scans that use
49       different options. In the first, we´ll do a fast scan (-F), which scans
50       fewer ports for speed. In the second, we´ll scan the larger default set
51       of ports, and run an NSE script.
52
53           # nmap -F scanme.nmap.org -oX scanme-1.xml
54           # nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
55           $ ndiff -v scanme-1.xml scanme-2.xml
56           -Nmap 5.35DC1 at 2010-07-16 12:09
57           +Nmap 5.35DC1 at 2010-07-16 12:13
58
59            scanme.nmap.org (64.13.134.52):
60            Host is up.
61           -Not shown: 95 filtered ports
62           +Not shown: 993 filtered ports
63            PORT      STATE  SERVICE VERSION
64            22/tcp    open   ssh
65            25/tcp    closed smtp
66            53/tcp    open   domain
67           +70/tcp    closed gopher
68            80/tcp    open   http
69           +|_ html-title: Go ahead and ScanMe!
70            113/tcp   closed auth
71           +31337/tcp closed Elite
72
73       Changes are marked by a - or + at the beginning of a line. We can see
74       from the output that the scan without the -F fast scan option found two
75       additional ports: 70 and 31337. The html-title script produced some
76       additional output for port 80. From the port counts, we may infer that
77       the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed),
78       while the normal scan scanned 1000 (993 filtered, 3 open, and 4
79       closed).
80
81       The -v (or --verbose) option to Ndiff made it show even the ports that
82       didn´t change, like 22 and 25. Without -v, they would not have been
83       shown.
84

OUTPUT

86       There are two output modes: text and XML. Text output is the default,
87       and can also be selected with the --text option. Text output resembles
88       a unified diff of Nmap´s normal terminal output. Each line is preceded
89       by a character indicating whether and how it changed.  - means that the
90       line was in the first scan but not in the second; + means it was in the
91       second but not the first. A line that changed is represented by a -
92       line followed by a + line. Lines that did not change are preceded by a
93       blank space.
94
95       Example 1 is an example of text output. Here, port 80 on the host
96       photos-cache-snc1.facebook.com gained a service version (lighttpd
97       1.5.0). The host at 69.63.179.25 changed its reverse DNS name. The host
98       at 69.63.184.145 was completely absent in the first scan but came up in
99       the second.
100
101       Example 1. Ndiff text output
102
103           -Nmap 4.85BETA3 at 2009-03-15 11:00
104           +Nmap 4.85BETA4 at 2009-03-18 11:00
105
106            photos-cache-snc1.facebook.com (69.63.178.41):
107            Host is up.
108            Not shown: 99 filtered ports
109            PORT   STATE SERVICE VERSION
110           -80/tcp open  http
111           +80/tcp open  http    lighttpd 1.5.0
112
113           -cm.out.snc1.tfbnw.net (69.63.179.25):
114           +mailout-snc1.facebook.com (69.63.179.25):
115            Host is up.
116            Not shown: 100 filtered ports
117
118           +69.63.184.145:
119           +Host is up.
120           +Not shown: 98 filtered ports
121           +PORT    STATE SERVICE  VERSION
122           +80/tcp  open  http     Apache httpd 1.3.41.fb1
123           +443/tcp open  ssl/http Apache httpd 1.3.41.fb1
124
125       XML output, intended to be processed by other programs, is selected
126       with the --xml option. It is based on Nmap´s XML output, with a few
127       additional elements to indicate differences. The XML document is
128       enclosed in nmapdiff and scandiff elements. Host differences are
129       enclosed in hostdiff tags and port differences are enclosed in portdiff
130       tags. Inside a hostdiff or portdiff, a and b tags show the state of the
131       host or port in the first scan (a) or the second scan (b).
132
133       Example 2 shows the XML diff of the same scans shown above in
134       Example 1. Notice how port 80 of photos-cache-snc1.facebook.com is
135       enclosed in portdiff tags. For 69.63.179.25, the old hostname is in a
136       tags and the new is in b. For the new host 69.63.184.145, there is a b
137       in the hostdiff without a corresponding a, indicating that there was no
138       information for the host in the first scan.
139
140       Example 2. Ndiff XML output
141
142           <?xml version="1.0" encoding="UTF-8"?>
143           <nmapdiff version="1">
144             <scandiff>
145               <hostdiff>
146                 <host>
147                   <status state="up"/>
148                   <address addr="69.63.178.41" addrtype="ipv4"/>
149                   <hostnames>
150                     <hostname name="photos-cache-snc1.facebook.com"/>
151                   </hostnames>
152                   <ports>
153                     <extraports count="99" state="filtered"/>
154                     <portdiff>
155                       <port portid="80" protocol="tcp">
156                         <state state="open"/>
157                         <a>
158                           <service name="http"/>
159                         </a>
160                         <b>
161                           <service name="http" product="lighttpd" version="1.5.0"/>
162                         </b>
163                       </port>
164                     </portdiff>
165                   </ports>
166                 </host>
167               </hostdiff>
168               <hostdiff>
169                 <host>
170                   <status state="up"/>
171                   <address addr="69.63.179.25" addrtype="ipv4"/>
172                   <hostnames>
173                     <a>
174                       <hostname name="cm.out.snc1.tfbnw.net"/>
175                     </a>
176                     <b>
177                       <hostname name="mailout-snc1.facebook.com"/>
178                     </b>
179                   </hostnames>
180                   <ports>
181                     <extraports count="100" state="filtered"/>
182                   </ports>
183                 </host>
184               </hostdiff>
185               <hostdiff>
186                 <b>
187                   <host>
188                     <status state="up"/>
189                     <address addr="69.63.184.145" addrtype="ipv4"/>
190                     <ports>
191                       <extraports count="98" state="filtered"/>
192                       <port portid="80" protocol="tcp">
193                         <state state="open"/>
194                         <service name="http" product="Apache httpd"
195                                  version="1.3.41.fb1"/>
196                       </port>
197                       <port portid="443" protocol="tcp">
198                         <state state="open"/>
199                         <service name="http" product="Apache httpd" tunnel="ssl"
200                                  version="1.3.41.fb1"/>
201                       </port>
202                     </ports>
203                   </host>
204                 </b>
205               </hostdiff>
206             </scandiff>
207           </nmapdiff>
208

PERIODIC DIFFS

210       Using Nmap, Ndiff, cron, and a shell script, it´s possible to scan a
211       network daily and get email reports of the state of the network and
212       changes since the previous scan.  Example 3 shows the script that ties
213       it together.
214
215       Example 3. Scanning a network periodically with Ndiff and cron
216
217           #!/bin/sh
218           TARGETS="targets"
219           OPTIONS="-v -T4 -F -sV"
220           date=`date +%F`
221           cd /root/scans
222           nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
223           if [ -e scan-prev.xml ]; then
224                   ndiff scan-prev.xml scan-$date.xml > diff-$date
225                   echo "*** NDIFF RESULTS ***"
226                   cat diff-$date
227                   echo
228           fi
229           echo "*** NMAP RESULTS ***"
230           cat scan-$date.nmap
231           ln -sf scan-$date.xml scan-prev.xml
232
233       If the script is saved as /root/scan-ndiff.sh, add the following line
234       to root´s crontab:
235
236           0 12 * * * /root/scan-ndiff.sh
237
238

EXIT CODE

240       The exit code indicates whether the scans are equal.
241
242       ·   0 means that the scans are the same in all the aspects Ndiff knows
243           about.
244
245       ·   1 means that the scans differ.
246
247       ·   2 indicates a runtime error, such as the failure to open a file.
248
249

BUGS

251       Report bugs to the nmap-dev mailing list at nmap-dev@insecure.org.
252

HISTORY

254       Ndiff started as a project by Michael Pattrick during the 2008 Google
255       Summer of Code. Michael designed the program and led the discussion of
256       its output formats. He wrote versions of the program in Perl and C++,
257       but the summer ended shortly after it was decided to rewrite the
258       program in Python for the sake of Windows (and Zenmap) compatibility.
259       This Python version was written by David Fifield. James Levine
260       released[1] a Perl script named Ndiff with similar functionality in
261       2000.
262

AUTHORS

264       David Fifield david@bamsoftware.com
265
266       Michael Pattrick mpattrick@rhinovirus.org
267

WEB SITE

269       http://nmap.org/ndiff/
270

NOTES

272        1. released
273           http://seclists.org/nmap-hackers/2000/315
274
275
276
277Ndiff                             02/11/2011                          NDIFF(1)
Impressum