Normal Output (`-oN`) with Nmap

This article explains the normal output format in Nmap, its structure, advantages, use cases, and best practices.

by İbrahim Korucuoğlu ( @siberoloji) | Friday, April 04, 2025

Categories:

4 minute read

Introduction

Nmap (Network Mapper) is one of the most widely used network scanning tools, known for its versatility and power in network reconnaissance and security auditing. Among its many output options, the Normal Output (-oN) format is one of the most straightforward and human-readable ways to store scan results. This article delves into the normal output format in Nmap, explaining its structure, advantages, use cases, and best practices.

What is Normal Output (`-oN`)?

The Normal Output (-oN) option in Nmap saves the scan results in a format similar to what is displayed in the terminal when running a scan. This makes it an ideal choice for users who want to store scan results in a structured yet easily readable format.

Syntax of `-oN`

To use the normal output format, the syntax is:

nmap -oN <output_file> <target>

For example:

nmap -oN scan_results.txt 192.168.1.1

This command scans the IP 192.168.1.1 and saves the output in a file called scan_results.txt in a human-readable format.

Structure of Normal Output

When using -oN, the output file contains structured information similar to what is displayed on the terminal. Below is an example of a normal output file:

# Nmap 7.92 scan initiated at 2025-04-01 12:34:56
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 10.56 seconds

Breakdown of Output

Metadata:
- The first line indicates the Nmap version and the timestamp when the scan was initiated.
- The second line reports the scanned target (hostname or IP).
- The third line shows whether the host is up and the latency (response time).
Port Scan Results:
- A summary of the number of closed ports.
- A detailed table showing open ports, their state, and corresponding service names.
Completion Summary:
- The final line states the number of hosts scanned and the total duration of the scan.

Advantages of Using Normal Output (`-oN`)

The normal output format offers several benefits:

Human-Readable Format: Unlike XML or grepable output, the normal format is easy to read and understand without additional parsing tools.
Preserves Terminal Output: The stored results closely resemble what is seen on the command line, making it convenient for review and sharing.
Good for Documentation: It serves as a useful log for later analysis and reporting.
Easy to Share: Since the file is a plain text format, it can be easily shared and understood by other team members.

Comparing Normal Output with Other Formats

Nmap supports multiple output formats. Here’s how normal output compares to other formats:

Output Format	Command	Description
Normal Output	`-oN`	Human-readable, same as terminal output.
XML Output	`-oX`	Machine-readable, suitable for automation.
Grepable Output	`-oG`	Easily parsed with tools like `grep` and `awk`.
Script Kiddie Output	`-oS`	Stylized, often used for fun or informal purposes.
Unified Output	`-oA`	Saves in all formats (`-oN`, `-oX`, `-oG`).

Best Practices for Using `-oN`

To maximize the effectiveness of normal output, consider these best practices:

1. Use a Meaningful Filename

Instead of generic names like scan.txt, use descriptive filenames that reflect the scan scope, such as:

nmap -oN scan_192.168.1.1_$(date +%F).txt 192.168.1.1

This creates a file named scan_192.168.1.1_2025-04-01.txt, making it easier to organize results.

2. Combine with `tee` for Real-Time Logging

To save results while also displaying them on the screen, use:

nmap -oN scan_results.txt 192.168.1.1 | tee scan_results.txt

This ensures you can monitor the scan in real time while logging it.

3. Automate Scans with Cron Jobs

If running periodic scans, automate them with cron jobs:

0 3 * * * nmap -oN scan_$(date +%F).txt 192.168.1.1

This schedules a scan every day at 3 AM and saves the results with the date.

4. Use Normal Output in Reports

The -oN format is excellent for security reports, as it is easy to interpret. You can extract key insights and summarize them in a structured manner.

5. Monitor Changes Over Time

Compare multiple scans using diff to track network changes:

diff scan_results_old.txt scan_results_new.txt

This highlights differences between two scan results, helping identify new vulnerabilities.

Common Issues and Troubleshooting

1. Output File Not Created

Ensure that you have write permissions in the directory:

sudo nmap -oN /path/to/output.txt <target>

2. Long Scans Take Too Much Time

Consider using:

nmap -T4 -oN fast_scan.txt <target>

The -T4 option speeds up the scan by adjusting timing parameters.

3. Output File Becomes Too Large

For large networks, redirect output to a compressed file:

nmap -oN - <target> | gzip > scan_results.gz

Conclusion

The normal output format (-oN) in Nmap is an essential feature that provides a readable and structured representation of scan results. It is particularly useful for documentation, sharing, and analyzing network states over time. By following best practices such as meaningful file naming, automation, and monitoring changes, users can enhance their network scanning workflow efficiently.

Whether you are a beginner or an experienced security professional, understanding and utilizing -oN effectively can significantly improve your Nmap experience.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< Limiting Packet Transmission Rates Grepable Output with Nmap >