1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
<!--
DTD for the Ndiff XML output format.
David Fifield <david@bamsoftware.com>
Ndiff XML output is similar to Nmap XML output. Inside of the root
nmapdiff element, the scandiff element represents a single diff of two
scans. Inside scandiff, host differences are within hostdiff elements
and port differences are within portdiff elements. These may appear
anywhere where host and port elements would appear, respectively.
Within a hostdiff or portdiff, differences are shown with a and b
elements, which show the state of things in the A and B
scan, respectively. These elements can appear most places in the output.
The output may contain hosts and ports that haven't changed. These are
stored in normal host and port elements.
Examples:
A host in the A scan but not in the B scan.
<hostdiff>
<a>
<host>...</host>
</a>
</hostdiff>
A host in the B scan but not in the A scan.
<hostdiff>
<b>
<host>...</host>
</b>
</hostdiff>
A host that gained a hostname and had a port change state. Port 22 is
unchanged.
<hostdiff>
<host>
<hostnames>
<hostname name="abc.example.com/>
<b>
<hostname name="xyz.example.com/>
</b>
</hostnames>
<ports>
<portdiff>
<a>
<port portid="10" protocol="tcp">
<state state="open"/>
</port>
</a>
<b>
<port portid="10" protocol="tcp">
<state state="closed"/>
</port>
</b>
<port portid="22" protocol="tcp">
<state state="open"/>
</port>
</portdiff>
</ports>
</host>
</hostdiff>
-->
<!-- Parameter entities defining "data types" used in the rest of the
DTD. -->
<!ENTITY % host-state "(unknown | up | down)">
<!ENTITY % address-type "(ipv4 | ipv6 | mac)">
<!ENTITY % protocol "(ip | tcp | udp)">
<!ENTITY % port-state "CDATA">
<!ELEMENT nmapdiff (scandiff)>
<!-- The current version is "1". Lack of a version attribute indicates
version 0, which was rather different. -->
<!ATTLIST nmapdiff version CDATA #IMPLIED>
<!ELEMENT scandiff (prescript | hostdiff | host | postscript | (a, b?) | b)*>
<!ELEMENT nmaprun EMPTY>
<!ATTLIST nmaprun
scanner CDATA #REQUIRED
args CDATA #IMPLIED
start CDATA #IMPLIED
startstr CDATA #IMPLIED
version CDATA #REQUIRED>
<!ELEMENT prescript (script* | (a, b?) | b)>
<!ELEMENT postscript (script* | (a, b?) | b)>
<!ELEMENT hostdiff (host | (a, b?) | b)>
<!ELEMENT host (status | address | hostnames | ports | os | hostscript | a | b)*>
<!ELEMENT status EMPTY>
<!ATTLIST status state %host-state; #REQUIRED>
<!ELEMENT hostnames (hostname | a | b)*>
<!ELEMENT address EMPTY>
<!ATTLIST address addr CDATA #REQUIRED
addrtype %address-type; "ipv4">
<!ELEMENT hostname EMPTY>
<!ATTLIST hostname name CDATA #REQUIRED>
<!ELEMENT ports ((extraports* | (a, b))?, (portdiff | port)*)>
<!ELEMENT portdiff (port | (a, b?) | b)>
<!ELEMENT extraports EMPTY>
<!ATTLIST extraports state %port-state; #REQUIRED
count CDATA #REQUIRED>
<!ELEMENT port (state | service | script | a | b)*>
<!ATTLIST port protocol %protocol; #REQUIRED
portid CDATA #REQUIRED>
<!ELEMENT state EMPTY>
<!ATTLIST state state %port-state; #REQUIRED>
<!ELEMENT service EMPTY>
<!ATTLIST service name CDATA #IMPLIED
product CDATA #IMPLIED
version CDATA #IMPLIED
extrainfo CDATA #IMPLIED
tunnel CDATA #IMPLIED>
<!ELEMENT script EMPTY>
<!ATTLIST script id CDATA #REQUIRED
output CDATA #REQUIRED>
<!ELEMENT os (osmatch | a | b)*>
<!ELEMENT osmatch EMPTY>
<!ATTLIST osmatch name CDATA #REQUIRED>
<!ELEMENT hostscript (script | a | b)*>
<!ENTITY % diff-elem "(nmaprun | prescript | postscript | host | status | address | hostname | extraports* | port | state | service | script | os | osmatch* | hostscript)">
<!ELEMENT a %diff-elem;>
<!ELEMENT b %diff-elem;>
|
