1NDIFF(1) User Commands NDIFF(1)
2
6 ndiff - Utility to compare the results of Nmap scans
7
9 ndiff [options] {a.xml} {b.xml}
10
12 Ndiff is a tool to aid in the comparison of Nmap scans. It takes two
13 Nmap XML output files and prints the differences between them. The
14 differences observed are:
15 · Host states (e.g. up to down)
17 · Port states (e.g. open to closed)
19 · Service versions (from -sV)
21 · OS matches (from -O)
23 · Script output
25 Ndiff, like the standard diff utility, compares two scans at a time.
27
29 -h, --help
30 Show a help message and exit.
31 -v, --verbose
33 Include all hosts and ports in the output, not only those that have
34 changed.
35 --text
37 Write output in human-readable text format.
38 --xml
40 Write output in machine-readable XML format. The document structure
41 is defined in the file ndiff.dtd included in the distribution.
42 Any other arguments are taken to be the names of Nmap XML output files.
44 There must be exactly two.
45
47 Let's use Ndiff to compare the output of two Nmap scans that use
48 different options. In the first, we'll do a fast scan (-F), which scans
49 fewer ports for speed. In the second, we'll scan the larger default set
50 of ports, and run an NSE script.
51 # nmap -F scanme.nmap.org -oX scanme-1.xml
53 # nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
54 $ ndiff -v scanme-1.xml scanme-2.xml
55 -Nmap 5.35DC1 at 2010-07-16 12:09
56 +Nmap 5.35DC1 at 2010-07-16 12:13
57 scanme.nmap.org (64.13.134.52):
59 Host is up.
60 -Not shown: 95 filtered ports
61 +Not shown: 993 filtered ports
62 PORT STATE SERVICE VERSION
63 22/tcp open ssh
64 25/tcp closed smtp
65 53/tcp open domain
66 +70/tcp closed gopher
67 80/tcp open http
68 +|_ html-title: Go ahead and ScanMe!
69 113/tcp closed auth
70 +31337/tcp closed Elite
71 Changes are marked by a - or + at the beginning of a line. We can see
73 from the output that the scan without the -F fast scan option found two
74 additional ports: 70 and 31337. The html-title script produced some
75 additional output for port 80. From the port counts, we may infer that
76 the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed),
77 while the normal scan scanned 1000 (993 filtered, 3 open, and 4
78 closed).
79 The -v (or --verbose) option to Ndiff made it show even the ports that
81 didn't change, like 22 and 25. Without -v, they would not have been
82 shown.
83
85 There are two output modes: text and XML. Text output is the default,
86 and can also be selected with the --text option. Text output resembles
87 a unified diff of Nmap's normal terminal output. Each line is preceded
88 by a character indicating whether and how it changed. - means that the
89 line was in the first scan but not in the second; + means it was in the
90 second but not the first. A line that changed is represented by a -
91 line followed by a + line. Lines that did not change are preceded by a
92 blank space.
93 Example 1 is an example of text output. Here, port 80 on the host
95 photos-cache-snc1.facebook.com gained a service version (lighttpd
96 1.5.0). The host at 69.63.179.25 changed its reverse DNS name. The host
97 at 69.63.184.145 was completely absent in the first scan but came up in
98 the second.
99 Example 1. Ndiff text output
101 -Nmap 4.85BETA3 at 2009-03-15 11:00
103 +Nmap 4.85BETA4 at 2009-03-18 11:00
104 photos-cache-snc1.facebook.com (69.63.178.41):
106 Host is up.
107 Not shown: 99 filtered ports
108 PORT STATE SERVICE VERSION
109 -80/tcp open http
110 +80/tcp open http lighttpd 1.5.0
111 -cm.out.snc1.tfbnw.net (69.63.179.25):
113 +mailout-snc1.facebook.com (69.63.179.25):
114 Host is up.
115 Not shown: 100 filtered ports
116 +69.63.184.145:
118 +Host is up.
119 +Not shown: 98 filtered ports
120 +PORT STATE SERVICE VERSION
121 +80/tcp open http Apache httpd 1.3.41.fb1
122 +443/tcp open ssl/http Apache httpd 1.3.41.fb1
123 XML output, intended to be processed by other programs, is selected
125 with the --xml option. It is based on Nmap's XML output, with a few
126 additional elements to indicate differences. The XML document is
127 enclosed in nmapdiff and scandiff elements. Host differences are
128 enclosed in hostdiff tags and port differences are enclosed in portdiff
129 tags. Inside a hostdiff or portdiff, a and b tags show the state of the
130 host or port in the first scan (a) or the second scan (b).
131 Example 2 shows the XML diff of the same scans shown above in
133 Example 1. Notice how port 80 of photos-cache-snc1.facebook.com is
134 enclosed in portdiff tags. For 69.63.179.25, the old hostname is in a
135 tags and the new is in b. For the new host 69.63.184.145, there is a b
136 in the hostdiff without a corresponding a, indicating that there was no
137 information for the host in the first scan.
138 Example 2. Ndiff XML output
140 <?xml version="1.0" encoding="UTF-8"?>
142 <nmapdiff version="1">
143 <scandiff>
144 <hostdiff>
145 <host>
146 <status state="up"/>
147 <address addr="69.63.178.41" addrtype="ipv4"/>
148 <hostnames>
149 <hostname name="photos-cache-snc1.facebook.com"/>
150 </hostnames>
151 <ports>
152 <extraports count="99" state="filtered"/>
153 <portdiff>
154 <port portid="80" protocol="tcp">
155 <state state="open"/>
156 <a>
157 <service name="http"/>
158 </a>
159 <b>
160 <service name="http" product="lighttpd" version="1.5.0"/>
161 </b>
162 </port>
163 </portdiff>
164 </ports>
165 </host>
166 </hostdiff>
167 <hostdiff>
168 <host>
169 <status state="up"/>
170 <address addr="69.63.179.25" addrtype="ipv4"/>
171 <hostnames>
172 <a>
173 <hostname name="cm.out.snc1.tfbnw.net"/>
174 </a>
175 <b>
176 <hostname name="mailout-snc1.facebook.com"/>
177 </b>
178 </hostnames>
179 <ports>
180 <extraports count="100" state="filtered"/>
181 </ports>
182 </host>
183 </hostdiff>
184 <hostdiff>
185 <b>
186 <host>
187 <status state="up"/>
188 <address addr="69.63.184.145" addrtype="ipv4"/>
189 <ports>
190 <extraports count="98" state="filtered"/>
191 <port portid="80" protocol="tcp">
192 <state state="open"/>
193 <service name="http" product="Apache httpd"
194 version="1.3.41.fb1"/>
195 </port>
196 <port portid="443" protocol="tcp">
197 <state state="open"/>
198 <service name="http" product="Apache httpd" tunnel="ssl"
199 version="1.3.41.fb1"/>
200 </port>
201 </ports>
202 </host>
203 </b>
204 </hostdiff>
205 </scandiff>
206 </nmapdiff>
207
209 Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a
210 network daily and get email reports of the state of the network and
211 changes since the previous scan. Example 3 shows the script that ties
212 it together.
213 Example 3. Scanning a network periodically with Ndiff and cron
215 #!/bin/sh
217 TARGETS="targets"
218 OPTIONS="-v -T4 -F -sV"
219 date=`date +%F`
220 cd /root/scans
221 nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
222 if [ -e scan-prev.xml ]; then
223 ndiff scan-prev.xml scan-$date.xml > diff-$date
224 echo "*** NDIFF RESULTS ***"
225 cat diff-$date
226 echo
227 fi
228 echo "*** NMAP RESULTS ***"
229 cat scan-$date.nmap
230 ln -sf scan-$date.xml scan-prev.xml
231 If the script is saved as /root/scan-ndiff.sh, add the following line
233 to root's crontab:
234 0 12 * * * /root/scan-ndiff.sh
236
239 The exit code indicates whether the scans are equal.
240 · 0 means that the scans are the same in all the aspects Ndiff knows
242 about.
243 · 1 means that the scans differ.
245 · 2 indicates a runtime error, such as the failure to open a file.
247
250 Report bugs to the nmap-dev mailing list at <dev@nmap.org>.
251
253 Ndiff started as a project by Michael Pattrick during the 2008 Google
254 Summer of Code. Michael designed the program and led the discussion of
255 its output formats. He wrote versions of the program in Perl and C++,
256 but the summer ended shortly after it was decided to rewrite the
257 program in Python for the sake of Windows (and Zenmap) compatibility.
258 This Python version was written by David Fifield. James Levine
259 released[1] a Perl script named Ndiff with similar functionality in
260 2000.
261
263 David Fifield <david@bamsoftware.com>
264 Michael Pattrick <mpattrick@rhinovirus.org>
266
268 http://nmap.org/ndiff/
269
271 1. released
272 http://seclists.org/nmap-hackers/2000/315
273Ndiff 07/28/2013 NDIFF(1)