Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning


Let's use Ndiff to compare the output of two Nmap scans that use different options. In the first, we'll do a fast scan (-F), which scans fewer ports for speed. In the second, we'll scan the larger default set of ports, and run an NSE script.

# nmap -F scanme.nmap.org -oX scanme-1.xml
# nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
$ ndiff -v scanme-1.xml scanme-2.xml
-Nmap 5.35DC1 at 2010-07-16 12:09
+Nmap 5.35DC1 at 2010-07-16 12:13

 scanme.nmap.org (
 Host is up.
-Not shown: 95 filtered ports
+Not shown: 993 filtered ports
 22/tcp    open   ssh
 25/tcp    closed smtp
 53/tcp    open   domain
+70/tcp    closed gopher
 80/tcp    open   http
+|_ html-title: Go ahead and ScanMe!
 113/tcp   closed auth
+31337/tcp closed Elite

Changes are marked by a - or + at the beginning of a line. We can see from the output that the scan without the -F fast scan option found two additional ports: 70 and 31337. The html-title script produced some additional output for port 80. From the port counts, we may infer that the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed).

The -v (or --verbose) option to Ndiff made it show even the ports that didn't change, like 22 and 25. Without -v, they would not have been shown.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]