RE: How to aggregate output of NMAP

From: Lodin, Steven {GZ-Q~Mannheim} (STEVEN.LODIN@Roche.COM)
Date: 02/05/02

Date: Tue, 05 Feb 2002 21:38:45 +0100
From: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN@Roche.COM>
To: 'Carmelo Floridia' <>,

Someone else mentioned Perl and gave a small code example. If this is interesting to you, check out ndiff (Nmap diff). I don't have the URL, but if I remember correctly, I found it from one of the nmap mailing list archives on

I think I would use a combination of grep/cut/sort/uniq/wc for the how many part. One question you didn't ask is "what are the web servers". For this, I use Whisker to classify the web servers. Any better options?

Another thought came to me... Perhaps the scanssh program has some summarization code in it as well that could be reused...

Steve Lodin
Head of Global IT Security
Roche Diagnostics
(W) +49-621-759-5276
(M) +49-173-348-4974
> I used nmap -sS -p80,25,110,21 172.31.*.* -oN output
> do you know if exist any tool to summarize the result in
> order to know (for
> example):
> how may WEB answered
> who are the web server
> hom many FTP
> who are ftp
> I used nlog....any other tool?

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see: