Let's use Ndiff to compare the output of two Nmap scans that use
different options. In the first, we'll do a fast scan
-F), which scans fewer ports for speed. In the
second, we'll scan the larger default set of ports, and run an NSE
nmap -F scanme.nmap.org -oX scanme-1.xml
nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
ndiff -v scanme-1.xml scanme-2.xml
-Nmap 5.35DC1 at 2010-07-16 12:09
+Nmap 5.35DC1 at 2010-07-16 12:13
Host is up.
-Not shown: 95 filtered ports
+Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
+70/tcp closed gopher
80/tcp open http
+|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
+31337/tcp closed Elite
Changes are marked by a
at the beginning of a line. We can see from the output that the scan
-F fast scan option found two
additional ports: 70 and 31337. The
html-title script produced some additional
output for port 80. From the port counts, we may infer that the fast
scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while
the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed).
--verbose) option to
Ndiff made it show even the ports that didn't change, like 22 and
-v, they would not have been shown.