Re: How to aggregate output of NMAP

From: Fyodor (
Date: 02/06/02

Date: Tue, 5 Feb 2002 19:54:18 -0800
From: Fyodor <>
To: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN@Roche.COM>

On Tue, Feb 05, 2002 at 09:38:45PM +0100, Lodin, Steven {GZ-Q~Mannheim} wrote:

> Someone else mentioned Perl and gave a small code example. If this
> is interesting to you, check out ndiff (Nmap diff). I don't have
> the URL, but if I remember correctly, I found it from one of the
> nmap mailing list archives on

Ndiff was written by James Levine and is available at .

Also, it sounds like the original poster had very simple needs, such
as obtaining a list of ftp or web servers. The Nmap "grepable"
output mode may be sufficient. The syntax is "-oG <filename>" and it
puts the most critical info about a host on a line like this:

Host: ( Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 515/open/tcp//printer///, 6000/open/tcp//X11/// Ignored State: closed (1548) OS: Linux Kernel 2.4.0 - 2.4.17 (X86) Seq Index: 3696008 IPID Seq: All zeros

You can easily grep the file for ports like "/dtspc/" and OS strings like
"Solaris". If there are a lot of results, you can obtain just the IPs
by piping them to standard shell commands like 'cut "-d " -f2'.

All this being said, I recommend the XML output mode (-oX) for more
involved analysis and feeding results to other nontrivial programs.
The XML also contains some info that I haven't found a place for in
the normal (or grepable) output formats.


This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see: