Output
Any security tool is only as useful as the output it generates. Complex tests and algorithms are of little value if they aren't presented in an organized and comprehensible fashion. Given the number of ways Nmap is used by people and other software, no single format can please everyone. So Nmap offers several formats, including the interactive mode for humans to read directly and XML for easy parsing by software.
In addition to offering different output formats, Nmap provides options for controlling the verbosity of output as well as debugging messages. Output types may be sent to standard output or to named files, which Nmap can append to or clobber. Output files may also be used to resume aborted scans.
Nmap makes output available in five different formats. The default is called interactive output, and it is sent to standard output (stdout). There is also normal output, which is similar to interactive except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively.
XML output is one of the most important output types, as it can be converted to HTML, easily parsed by programs such as Nmap graphical user interfaces, or imported into databases.
The two remaining output types are the simple grepable output which includes most information for a target host on a single line, and sCRiPt KiDDi3 0utPUt for users who consider themselves |<-r4d.
While interactive output is the default and has no associated
command-line options, the other four format options use the same
syntax. They take one argument, which is the filename that results
should be stored in. Multiple formats may be specified, but each
format may only be specified once. For example, you may wish to save
normal output for your own review while saving XML of the same scan
for programmatic analysis. You might do this with the options
-oX myscan.xml -oN myscan.nmap
. While this chapter
uses the simple names like myscan.xml
for brevity,
more descriptive names are generally recommended. The names chosen
are a matter of personal preference, though I use long ones that
incorporate the scan date and a word or two describing the scan, placed
in a directory named after the company I'm scanning.
While these options save results to files, Nmap still prints
interactive output to stdout as usual. For example, the command
nmap -oX myscan.xml target prints XML to
myscan.xml
and fills standard output with the same interactive results it would have printed if -oX
wasn't specified at all. You can change this by passing a hyphen
character as the argument to one of the format types. This causes
Nmap to deactivate interactive output, and instead print
results in the format you specified to the standard output stream. So the
command nmap -oX - target will send only XML output to
stdout.
Serious errors may still be printed to the normal error
stream, stderr.
Unlike some Nmap arguments, the space between the logfile option
flag (such as -oX
) and the filename or hyphen is
mandatory. If you omit the flags and give arguments such as
-oG-
or -oXscan.xml
, a backwards
compatibility feature of Nmap will cause the creation of
normal format output files named
G-
and Xscan.xml
respectively.
All of these arguments support
strftime
-like
conversions in the filename. %H
, %M
,
%S
, %m
, %d
,
%y
, and %Y
are all exactly the same
as in strftime
. %T
is the same
as %H%M%S
, %R
is the same as
%H%M
, and %D
is the same as
%m%d%y
. A %
followed by any other
character just yields that character (%%
gives you a
percent symbol). So -oX 'scan-%T-%D.xml'
will use an XML
file with a name in the form of scan-144840-121307.xml
.
Nmap also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described below.
-
-oN
(normal output)<filespec>
-
-oX
(XML output)<filespec>
Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. The latest version is always available from
https://svn.nmap.org/nmap/docs/nmap.dtd
.XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings for most of these languages to handle Nmap output and execution specifically. Examples are Nmap::Scanner and Nmap::Parser in Perl CPAN. In almost all cases that a non-trivial application interfaces with Nmap, XML is the preferred format.
-
-oS
(ScRipT KIdd|3 oUTpuT)<filespec>
-
-oG
(grepable output)<filespec>
Grepable output consists of comments (lines starting with a pound (#)) and target lines. A target line includes a combination of six labeled fields, separated by tabs and followed with a colon. The fields are
Host
,Ports
,Protocols
,Ignored State
,OS
,Seq Index
,IP ID
, andStatus
.As with XML output, this man page does not allow for documenting the entire format. A more detailed look at the Nmap grepable output format is available in the section called “Grepable Output (
-oG
)”.-
-oA
(Output to all formats)<basename>
-
-v
(Increase verbosity level) ,-v
(Set verbosity level)<level>
Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity:
-vv
, or give a verbosity level directly, for example-v3
.-
-d
(Increase debugging level) ,-d
(Set debugging level)<level>
When even verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (
-v
), debugging is enabled with a command-line flag (-d
) and the debug level can be increased by specifying it multiple times, as in-dd
, or by setting a level directly. For example,-d9
sets level nine. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.Debugging output is useful when a bug is suspected in Nmap, or if you are simply confused as to what Nmap is doing and why. As this feature is mostly intended for developers, debug lines aren't always self-explanatory. You may get something like:
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==> srtt: 14987 rttvar: 14987 to: 100000
. If you don't understand a line, your only recourses are to ignore it, look it up in the source code, or request help from the development list (nmap-dev). Some lines are self explanatory, but the messages become more obscure as the debug level is increased.-
--reason
(Host and port state reasons) Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A
RST
packet from a closed port or an echo reply from an alive host. The information Nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (-sS
and-PS
) are very detailed, but the TCP connect scan (-sT
) is limited by the implementation of theconnect
system call. This feature is automatically enabled by the debug option (-d
) and the results are stored in XML log files even if this option is not specified.-
--stats-every
(Print periodic timing stats)<time>
Periodically prints a timing status message after each interval of
<time>
. The time is a specification of the kind described in the section called “Timing and Performance”; so for example, use--stats-every 10s
to get a status update every 10 seconds. Updates are printed to interactive output (the screen) and XML output.-
--packet-trace
(Trace packets and data sent and received) -
--open
(Show only open (or possibly open) ports) Beginning with Nmap 7.40, the
--open
option implies--defeat-rst-ratelimit
, because that option only affectsclosed
andfiltered
ports, which are hidden by--open
.-
--iflist
(List interfaces and routes)
-
--append-output
(Append to rather than clobber output files) -
--resume
(Resume aborted scan)<filename>
-
--noninteractive
(Disable runtime interactions) At times, such as when running Nmap in a shell background, it might be undesirable for Nmap to monitor and respond to user keyboard input when running. (See the section called “Runtime Interaction” about how to control Nmap during a scan.) Use option
--noninteractive
to prevent Nmap taking control of the terminal.-
--stylesheet
(Set XSL stylesheet to transform XML output)<path or URL>
Nmap ships with an XSL stylesheet named
nmap.xsl
for viewing or translating XML output to HTML. The XML output includes anxml-stylesheet
directive which points tonmap.xml
where it was initially installed by Nmap. Run the XML file through an XSLT processor such as xsltproc to produce an HTML file. Directly opening the XML file in a browser no longer works well because modern browsers limit the locations a stylesheet may be loaded from. If you wish to use a different stylesheet, specify it as the argument to--stylesheet
. You must pass the full pathname or URL. One common invocation is--stylesheet https://nmap.org/svn/docs/nmap.xsl
. This tells an XSLT processor to load the latest version of the stylesheet from Nmap.Org. The--webxml
option does the same thing with less typing and memorization. Loading the XSL from Nmap.Org makes it easier to view results on a machine that doesn't have Nmap (and thusnmap.xsl
) installed. So the URL is often more useful, but the local filesystem location ofnmap.xsl
is used by default for privacy reasons.-
--webxml
(Load stylesheet from Nmap.Org) -
--no-stylesheet
(Omit XSL stylesheet declaration from XML)