Saving Results for Later Analysis with Nmap

Learn how to save Nmap scan results for later analysis, including different formats and best practices.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) is one of the most powerful open-source tools used for network scanning, vulnerability assessment, and security auditing. Whether you are conducting penetration testing, network inventory management, or troubleshooting, saving scan results for later analysis is crucial. Nmap provides multiple ways to store and organize scan results in different formats, making it easier to review, compare, and share data.

In this article, we will explore the different methods available in Nmap for saving scan results, the advantages of each format, and best practices for organizing and analyzing saved data.

Why Save Nmap Scan Results?

Before diving into the technical details, it is important to understand why saving scan results is beneficial:

  1. Historical Comparison: Storing scan results allows you to compare them over time, making it easier to detect network changes and new vulnerabilities.
  2. Collaboration: Sharing scan results with team members simplifies security audits and troubleshooting.
  3. Automation & Reporting: Saved results can be used for automated analysis, custom scripts, or generating detailed security reports.
  4. Documentation & Compliance: In security assessments and regulatory audits, keeping records of network scans is often required.

Methods for Saving Nmap Scan Results

Nmap provides built-in options to save scan results using the -oN, -oX, -oG, and -oA flags. Let’s examine each option in detail.

1. Normal Output (-oN)

The -oN option saves the scan results in a human-readable format, similar to what is displayed in the terminal.

Example:

nmap -oN scan_results.txt 192.168.1.1

Pros:

  • Easy to read manually.
  • Good for quick reference.
  • Can be used for simple comparisons.

Cons:

  • Not structured for automated parsing.
  • Harder to extract specific details programmatically.

2. XML Output (-oX)

The -oX option stores scan results in XML format, which is useful for integration with other tools and structured analysis.

Example:

nmap -oX scan_results.xml 192.168.1.1

Pros:

  • Structured and machine-readable.
  • Can be easily parsed using scripts or tools like xsltproc.
  • Compatible with tools like Zenmap for graphical visualization.

Cons:

  • Not easily readable by humans.
  • Requires XML parsing knowledge for deeper analysis.

3. Grepable Output (-oG)

The -oG option saves results in a grep-friendly format, allowing for easy searching and filtering using command-line tools.

Example:

nmap -oG scan_results.grep 192.168.1.1

Pros:

  • Designed for command-line filtering.
  • Can be processed using grep, awk, and sed.
  • Compact and easier for scripting.

Cons:

  • Less human-readable compared to normal output.
  • Not as structured as XML.

Example Filtering: Find all open ports in the scan results:

grep "Ports:" scan_results.grep | grep "open"

4. Combined Output (-oA)

The -oA option is the most comprehensive as it saves results in all three formats: normal (.nmap), XML (.xml), and grepable (.gnmap).

Example:

nmap -oA scan_results 192.168.1.1

This command generates the following files:

  • scan_results.nmap (normal output)
  • scan_results.xml (XML output)
  • scan_results.gnmap (grepable output)

Pros:

  • Offers flexibility with multiple formats.
  • Best for archiving and future analysis.
  • Ensures compatibility with various tools.

Cons:

  • Requires more storage space.
  • May generate unnecessary formats if only one is needed.

Best Practices for Managing Saved Nmap Results

To make the most out of your saved Nmap scan results, follow these best practices:

1. Use Meaningful Filenames

Organize scan results by including timestamps and target descriptions.

Example:

nmap -oA scans/network_scan_$(date +%F_%H-%M-%S) 192.168.1.0/24

This creates files like:

network_scan_2025-04-02_14-30-00.nmap
network_scan_2025-04-02_14-30-00.xml
network_scan_2025-04-02_14-30-00.gnmap

2. Automate Scans with Cron Jobs

Schedule periodic scans and store results automatically.

Example (Run daily at midnight):

crontab -e

Add this line:

0 0 * * * nmap -oA /path/to/scans/daily_scan_$(date +\%F) 192.168.1.0/24

3. Analyze XML Results with Scripts

Parse XML results using Python’s ElementTree module.

Example Python script:

import xml.etree.ElementTree as ET

tree = ET.parse('scan_results.xml')
root = tree.getroot()

for host in root.findall('host'):
    ip = host.find('address').get('addr')
    for port in host.findall('.//port'):
        port_id = port.get('portid')
        state = port.find('state').get('state')
        print(f"{ip}: Port {port_id} is {state}")

4. Store Results in a Database

For long-term tracking, import XML results into a database like MySQL or PostgreSQL for querying.

5. Visualize Data with Nmap-Compatible Tools

Use tools like Zenmap or NmapWeb to generate reports and graphical views of scan data.

Conclusion

Saving Nmap scan results is essential for effective network security analysis. Depending on your needs, you can choose from human-readable, structured, or grep-friendly formats. Using automation, scripting, and databases can further enhance how you store, analyze, and utilize scan data over time. By following best practices, you can create a well-organized repository of network scans that simplifies tracking changes and improving security posture.


< XML Output with NmapNSE Explained >