Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: best way to scan?
Top Forums UNIX for Dummies Questions & Answers best way to scan? Post 302710581 by DGPickett on Thursday 4th of October 2012 02:56:54 PM
Old 10-04-2012
There are 65536 udp and 65536 tcp ports on each IP address, and you can have sockets on all local sockets (listening 0.0.0.0) or just one, including just localhost (127.0.0.1). Usually, you just use all or localhost. This is IPV4; IPV6 goes wild in lots of ways besides longer (larger) numbers for IP, like anycast addresses.


The tool lsof from Perdue will tell you about all open files, including sockets that can be listening, connected or just open.
  • Connected is bound to a remote IP and port on the same IP Protocol (TCP or UDP).
  • Listening is more a TCP thing, but an open UDP port handler can spin off connected sockets.
  • An open UDP socket can take in UDP packets from all IPs and ports, and can send to the UDP protocol all IPs and ports. DNS is a great example -- sitting there reading packets from everyone, and for every packet read, sending out one packet, either an answer or a forwarded question. It has to keep trackof forwarded questions (recursion) so it can forward answers when they arrive. UDP does not include auto-retransmit, but DNS is an inquiry, so you can just ask again. The first query is not a waste, as it may have stored the answer more closely.
BTW, UDP can be used with broadcast IP on send to send one packet to all open ports of the specified number on all IP of that network. It can be used with MBone IPs to multicast, where lost packets can be recovered on intermediate hosts.
This User Gave Thanks to DGPickett For This Post:
SkySmart
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

IP Name scan

Hi. how to search a range of IP:s for their registed IP names? Like nslookup or host for all IPs 130.xxx.xxx.1 to 130.xxx.xxx.254 //nicke (2 Replies)
Discussion started by: nicke30
2 Replies

2. UNIX for Advanced & Expert Users

Please let me know Regarding Port Scan

Can any one please let me know below ones 1) How to Perform the Port Scan in Solaris Environment and how to block the unwanted Ports. 2) How to know whether particular Port is listning the requests or not? Thanks Ramkumar.B (7 Replies)
Discussion started by: myramkumar
7 Replies

3. Shell Programming and Scripting

How to scan and capture

Hi, I am new to unix. I have a file with records like the below ads-sap-4.txt: </a></b></span><span class="linkbutton yellow_but"><a id="2005754_more" style="cursor:pointer; cursor:hand;"... (3 Replies)
Discussion started by: akondeti
3 Replies

4. Shell Programming and Scripting

scan direcotries

Hi I am new to this forum, and glad to be a part of it here after. I have an intersting issue for which I need suggestions of you great minds. I am in process a building a shell script which should scan a directory for a specified amount of time and prepare a list of all the files that were... (1 Reply)
Discussion started by: nagrcm
1 Replies

5. UNIX for Dummies Questions & Answers

scan and move

i have a script to look for a file, but it moves a file that's being used. i want to use: if file exists > 0, and not being updated/used in the last 2 minutes, move to /tmp i can do this much: if then mv filename.txt /tmp else exit fi or how can i check if... (3 Replies)
Discussion started by: tjmannonline
3 Replies

6. Shell Programming and Scripting

scan directory

The script should _scan a specific directory _If a file name is like one provided, then run the command to send the file via CFT The name should be picked from a list. The current list is : ... (11 Replies)
Discussion started by: fireit
11 Replies

7. AIX

Scan Rates

Dear Gurus, Can any one advice about the normal limits for the Page scanning rates on the AIX platforms, i am having enormous values for the scan rate along the hour it may reache 3000 pages/sec. Regards, Negm (2 Replies)
Discussion started by: Negm
2 Replies

8. Shell Programming and Scripting

scan compressed

Hello all I want to help I have some compressed files on the system When you want to unzip these files Delete any file which symlink "ln -s" {{ I need script is necessary Script contain: Any operation to decompress the system is doing to delete any symlink... (0 Replies)
Discussion started by: x-zer0
0 Replies

9. Red Hat

Scan For new LUNS

In Solaris the administrator has to update /kernel/drv/sd.conf file to tell the sd driver to scan for a broader range of scsi devices. Can someone please tell me what file needs to be update in Redhat Linux 5 for the same. Second part of the question is WWN for HBA's can be found (atleast in my... (1 Reply)
Discussion started by: Tirmazi
1 Replies

10. AIX

Scan Rate

Hello, How can i tell ifthe ratio between fr and sr is ok? is fr/sr ratio of 0.9 acceptable? thanks. (1 Reply)
Discussion started by: LiorAmitai
1 Replies

LEARN ABOUT CENTOS

ndiff

NDIFF(1)							   User Commands							  NDIFF(1)

NAME

       ndiff - Utility to compare the results of Nmap scans

SYNOPSIS

       ndiff [options] {a.xml} {b.xml}

DESCRIPTION

       Ndiff is a tool to aid in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them. The
       differences observed are:

       o   Host states (e.g. up to down)

       o   Port states (e.g. open to closed)

       o   Service versions (from -sV)

       o   OS matches (from -O)

       o   Script output

       Ndiff, like the standard diff utility, compares two scans at a time.

OPTIONS SUMMARY

       -h, --help
	   Show a help message and exit.

       -v, --verbose
	   Include all hosts and ports in the output, not only those that have changed.

       --text
	   Write output in human-readable text format.

       --xml
	   Write output in machine-readable XML format. The document structure is defined in the file ndiff.dtd included in the distribution.

       Any other arguments are taken to be the names of Nmap XML output files. There must be exactly two.

EXAMPLE

       Let's use Ndiff to compare the output of two Nmap scans that use different options. In the first, we'll do a fast scan (-F), which scans
       fewer ports for speed. In the second, we'll scan the larger default set of ports, and run an NSE script.

	   # nmap -F scanme.nmap.org -oX scanme-1.xml
	   # nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
	   $ ndiff -v scanme-1.xml scanme-2.xml
	   -Nmap 5.35DC1 at 2010-07-16 12:09
	   +Nmap 5.35DC1 at 2010-07-16 12:13

	    scanme.nmap.org (64.13.134.52):
	    Host is up.
	   -Not shown: 95 filtered ports
	   +Not shown: 993 filtered ports
	    PORT      STATE  SERVICE VERSION
	    22/tcp    open   ssh
	    25/tcp    closed smtp
	    53/tcp    open   domain
	   +70/tcp    closed gopher
	    80/tcp    open   http
	   +|_ html-title: Go ahead and ScanMe!
	    113/tcp   closed auth
	   +31337/tcp closed Elite

       Changes are marked by a - or + at the beginning of a line. We can see from the output that the scan without the -F fast scan option found
       two additional ports: 70 and 31337. The html-title script produced some additional output for port 80. From the port counts, we may infer
       that the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while the normal scan scanned 1000 (993 filtered, 3 open, and 4
       closed).

       The -v (or --verbose) option to Ndiff made it show even the ports that didn't change, like 22 and 25. Without -v, they would not have been
       shown.

OUTPUT

       There are two output modes: text and XML. Text output is the default, and can also be selected with the --text option. Text output
       resembles a unified diff of Nmap's normal terminal output. Each line is preceded by a character indicating whether and how it changed.  -
       means that the line was in the first scan but not in the second; + means it was in the second but not the first. A line that changed is
       represented by a - line followed by a + line. Lines that did not change are preceded by a blank space.

       Example 1 is an example of text output. Here, port 80 on the host photos-cache-snc1.facebook.com gained a service version (lighttpd 1.5.0).
       The host at 69.63.179.25 changed its reverse DNS name. The host at 69.63.184.145 was completely absent in the first scan but came up in the
       second.

       Example 1. Ndiff text output

	   -Nmap 4.85BETA3 at 2009-03-15 11:00
	   +Nmap 4.85BETA4 at 2009-03-18 11:00

	    photos-cache-snc1.facebook.com (69.63.178.41):
	    Host is up.
	    Not shown: 99 filtered ports
	    PORT   STATE SERVICE VERSION
	   -80/tcp open  http
	   +80/tcp open  http	 lighttpd 1.5.0

	   -cm.out.snc1.tfbnw.net (69.63.179.25):
	   +mailout-snc1.facebook.com (69.63.179.25):
	    Host is up.
	    Not shown: 100 filtered ports

	   +69.63.184.145:
	   +Host is up.
	   +Not shown: 98 filtered ports
	   +PORT    STATE SERVICE  VERSION
	   +80/tcp  open  http	   Apache httpd 1.3.41.fb1
	   +443/tcp open  ssl/http Apache httpd 1.3.41.fb1

       XML output, intended to be processed by other programs, is selected with the --xml option. It is based on Nmap's XML output, with a few
       additional elements to indicate differences. The XML document is enclosed in nmapdiff and scandiff elements. Host differences are enclosed
       in hostdiff tags and port differences are enclosed in portdiff tags. Inside a hostdiff or portdiff, a and b tags show the state of the host
       or port in the first scan (a) or the second scan (b).

       Example 2 shows the XML diff of the same scans shown above in Example 1. Notice how port 80 of photos-cache-snc1.facebook.com is enclosed
       in portdiff tags. For 69.63.179.25, the old hostname is in a tags and the new is in b. For the new host 69.63.184.145, there is a b in the
       hostdiff without a corresponding a, indicating that there was no information for the host in the first scan.

       Example 2. Ndiff XML output

	   <?xml version="1.0" encoding="UTF-8"?>
	   <nmapdiff version="1">
	     <scandiff>
	       <hostdiff>
		 <host>
		   <status state="up"/>
		   <address addr="69.63.178.41" addrtype="ipv4"/>
		   <hostnames>
		     <hostname name="photos-cache-snc1.facebook.com"/>
		   </hostnames>
		   <ports>
		     <extraports count="99" state="filtered"/>
		     <portdiff>
		       <port portid="80" protocol="tcp">
			 <state state="open"/>
			 <a>
			   <service name="http"/>
			 </a>
			 <b>
			   <service name="http" product="lighttpd" version="1.5.0"/>
			 </b>
		       </port>
		     </portdiff>
		   </ports>
		 </host>
	       </hostdiff>
	       <hostdiff>
		 <host>
		   <status state="up"/>
		   <address addr="69.63.179.25" addrtype="ipv4"/>
		   <hostnames>
		     <a>
		       <hostname name="cm.out.snc1.tfbnw.net"/>
		     </a>
		     <b>
		       <hostname name="mailout-snc1.facebook.com"/>
		     </b>
		   </hostnames>
		   <ports>
		     <extraports count="100" state="filtered"/>
		   </ports>
		 </host>
	       </hostdiff>
	       <hostdiff>
		 <b>
		   <host>
		     <status state="up"/>
		     <address addr="69.63.184.145" addrtype="ipv4"/>
		     <ports>
		       <extraports count="98" state="filtered"/>
		       <port portid="80" protocol="tcp">
			 <state state="open"/>
			 <service name="http" product="Apache httpd"
				  version="1.3.41.fb1"/>
		       </port>
		       <port portid="443" protocol="tcp">
			 <state state="open"/>
			 <service name="http" product="Apache httpd" tunnel="ssl"
				  version="1.3.41.fb1"/>
		       </port>
		     </ports>
		   </host>
		 </b>
	       </hostdiff>
	     </scandiff>
	   </nmapdiff>

PERIODIC DIFFS

       Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a network daily and get email reports of the state of the network and
       changes since the previous scan.  Example 3 shows the script that ties it together.

       Example 3. Scanning a network periodically with Ndiff and cron

	   #!/bin/sh
	   TARGETS="targets"
	   OPTIONS="-v -T4 -F -sV"
	   date=`date +%F`
	   cd /root/scans
	   nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
	   if [ -e scan-prev.xml ]; then
		   ndiff scan-prev.xml scan-$date.xml > diff-$date
		   echo "*** NDIFF RESULTS ***"
		   cat diff-$date
		   echo
	   fi
	   echo "*** NMAP RESULTS ***"
	   cat scan-$date.nmap
	   ln -sf scan-$date.xml scan-prev.xml

       If the script is saved as /root/scan-ndiff.sh, add the following line to root's crontab:

	   0 12 * * * /root/scan-ndiff.sh

EXIT CODE

       The exit code indicates whether the scans are equal.

       o   0 means that the scans are the same in all the aspects Ndiff knows about.

       o   1 means that the scans differ.

       o   2 indicates a runtime error, such as the failure to open a file.

BUGS

       Report bugs to the nmap-dev mailing list at <dev@nmap.org>.

HISTORY

       Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code. Michael designed the program and led the discussion
       of its output formats. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the
       program in Python for the sake of Windows (and Zenmap) compatibility. This Python version was written by David Fifield. James Levine
       released[1] a Perl script named Ndiff with similar functionality in 2000.

AUTHORS

       David Fifield <david@bamsoftware.com>

       Michael Pattrick <mpattrick@rhinovirus.org>

WEB SITE

       http://nmap.org/ndiff/

NOTES

	1. released
	   http://seclists.org/nmap-hackers/2000/315

Ndiff								    07/28/2013								  NDIFF(1)
All times are GMT -4. The time now is 10:04 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy