Ndiff

Ndiff is a tool to aid in the comparison of Nmap scans. Specifically, it
takes two Nmap XML output files and prints the differences between them:
hosts coming up and down, ports becoming open or closed, and things like
that.

To install, run (as root)
	python setup.py install
It's also possible to run the program from within the distribution
without installing it.

Use "ndiff --help" for usage instructions. Output can be in
human-readable text format ("ndiff --text") or machine-readable XML
format ("ndiff --xml").

Here is a sample of the text output:

	$ ./ndiff test-scans/random-1.xml test-scans/random-2.xml
	Thu Sep 11 11:39:32 2008 -> Tue Sep 16 13:59:22 2008
	cuvtdnray-504.example.com (10.214.143.33):
		Host is up, was unknown.
		Add ipv4 address 10.214.143.33.
		Add hostname cuvtdnray-504.example.com.
		3389/tcp is open.
		999 tcp ports are filtered.
	scnqxez-842.example.com (10.189.71.117):
		Remove hostname scnqxez-842.example.com.
	10.226.19.80:
		21/tcp is open, was filtered.
		23/tcp is open, was filtered.
		80/tcp is open, was filtered.
		8701/tcp is filtered, was open.
	ywnleu-108.example.com (10.242.160.155):
		Host is up, was unknown.
		Add ipv4 address 10.242.160.155.
		Add hostname ywnleu-108.example.com.
		1000 tcp ports are filtered.

Here is an abbreviated sample of the XML output:

	$ ./ndiff --xml test-scans/random-1.xml test-scans/random-2.xml
	<?xml version="1.0" encoding="UTF-8"?>
	<nmapdiff>
	  <scandiff a-start="1221154772" b-start="1221595162">
	    <host>
	      <address addr="10.214.143.33" addrtype="ipv4"/>
	      <hostname name="cuvtdnray-504.example.com"/>
	      <host-state-change a-state="unknown" b-state="up"/>
	      <host-address-add>
		<address addr="10.214.143.33" addrtype="ipv4"/>
	      </host-address-add>
	      <host-hostname-add>
		<hostname name="cuvtdnray-504.example.com"/>
	      </host-hostname-add>
	      <port-state-change a-state="unknown" b-state="filtered" portid="1" protocol="tcp"/>
	      <port-state-change a-state="unknown" b-state="filtered" portid="3" protocol="tcp"/>
	      <port-state-change a-state="unknown" b-state="filtered" portid="4" protocol="tcp"/>
	    </host>
	    <host>
	      <address addr="10.189.71.117" addrtype="ipv4"/>
	      <hostname name="scnqxez-842.example.com"/>
	      <host-hostname-remove>
		<hostname name="scnqxez-842.example.com"/>
	      </host-hostname-remove>
	    </host>
	  </scandiff>
	</nmapdiff>

Ndiff started as a project by Michael Pattrick <mpattrick@rhinovirus.org>
during the 2008 Google Summer of Code. Michael designed the program and
led the discussion of its output formats. He wrote versions of the
program in Perl and C++, but the summer ended shortly after it was
decided to rewrite the program in Python for the sake of Windows
compatibility. This Python version is written by David Fifield
<david@bamsoftware.com>.

Ndiff web site: http://nmap.org/ndiff/