Nmap Security Scanner
*Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors





Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
The Full DTD
Prev Appendix A. Nmap XML Output DTD Next

The Full DTD

<!--
    nmap.dtd
    This is the DTD for nmap's XML output (-oX) format.
    $Id: nmap.dtd 7474 2008-05-12 15:54:14Z david $

    Originally written by:
    William McVey <wam@cisco.com> <wam+nmap@wamber.net>

    Now maintained by Fyodor <fyodor@insecure.org> as part of Nmap.     

    To validate using this file, simply add a DOCTYPE line similar to:
    <!DOCTYPE nmaprun SYSTEM "nmap.dtd">
    to the nmap output immediately below the prologue (the first line).  This
    should allow you to run a validating parser against the output (so long
    as the dtd is in your parser's dtd search path).

    Bugs:
    Most of the elements are "locked" into the specific order that nmap
    generates, when there really is no need for a specific ordering.
    This is primarily because I don't know the xml DTD construct to
    specify "one each of this list of elements, in any order".  If there
    is a construct similar to SGML's '&' operator, please let me know.

    Portions Copyright (c) 2001-2007 Insecure.Com LLC
    Portions Copyright (c) 2001 by Cisco systems, Inc.
 
    Permission to use, copy, modify, and distribute modified and
    unmodified copies of this software for any purpose and without fee is
    hereby granted, provided that (a) this copyright and permission notice
    appear on all copies of the software and supporting documentation, (b)
    the name of Cisco Systems, Inc. not be used in advertising or
    publicity pertaining to distribution of the program without specific
    prior permission, and (c) notice be given in supporting documentation
    that use, modification, copying and distribution is by permission of
    Cisco Systems, Inc.
 
    Cisco Systems, Inc. makes no representations about the suitability
    of this software for any purpose.  THIS SOFTWARE IS PROVIDED ``AS
    IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
    WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
    FITNESS FOR A PARTICULAR PURPOSE.
-->

<!-- parameter entities to specify common "types" used elsewhere in the DTD -->
<!ENTITY % attr_alpha "CDATA" >
<!ENTITY % attr_numeric "CDATA" >
<!ENTITY % attr_ipaddr "CDATA" >
<!ENTITY % attr_percent "CDATA" >
<!ENTITY % attr_type "(ipv4 | ipv6 | mac)" >

<!ENTITY % host_states "(up|down|unknown|skipped)" >

<!-- see: nmap.c:statenum2str for list of port states -->
<!-- Maybe they should be enumerated as in scan_types below , but I -->
<!-- don't know how to escape states like open|filtered -->
<!ENTITY % port_states "CDATA" >

<!ENTITY % hostname_types "(PTR)" >

<!-- see output.c:output_xml_scaninfo_records for scan types -->
<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|ipproto)" >

<!-- <!ENTITY % ip_versions "(ipv4)" > -->

<!ENTITY % port_protocols "(ip|tcp|udp)" >

<!-- I don't know exactly what these are, but the values were enumerated via:
     grep "conf=" *
--> 
<!ENTITY % service_confs  "( 0 | 3 | 5 | 10)" >

<!-- This element was started in nmap.c:nmap_main().
     It represents to the topmost element of the output document.
-->
<!ELEMENT nmaprun      (scaninfo*, verbose, debugging, ((taskbegin, taskprogress*, taskend) | host)*, runstats) >
<!ATTLIST nmaprun
scanner (nmap) #REQUIRED
args CDATA #IMPLIED
start %attr_numeric; #IMPLIED
startstr CDATA         #IMPLIED
version CDATA #REQUIRED
xmloutputversion (1.02) #REQUIRED
>

<!-- this element is written in output.c:doscaninfo() -->
<!ELEMENT scaninfo EMPTY >
<!ATTLIST scaninfo
type %scan_types; #REQUIRED
protocol %port_protocols; #REQUIRED
numservices %attr_numeric; #REQUIRED
services CDATA #REQUIRED
>

<!-- these elements are written in nmap.c:nmap_main() -->
<!ELEMENT verbose EMPTY >
<!ATTLIST verbose level %attr_numeric; #IMPLIED >


<!ELEMENT debugging  EMPTY >
<!ATTLIST debugging level %attr_numeric; #IMPLIED >

<!-- this element is written in timing.c:beginOrEndTask() -->
<!ELEMENT taskbegin EMPTY >
<!ATTLIST taskbegin
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
extrainfo CDATA #IMPLIED
>

<!-- this element is written in timing.c:printStats() -->
<!ELEMENT taskprogress EMPTY >
<!ATTLIST taskprogress
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
percent %attr_percent; #REQUIRED
remaining %attr_numeric; #REQUIRED
etc %attr_numeric; #REQUIRED
>

<!-- this element is written in timing.c:beginOrEndTask() -->
<!ELEMENT taskend EMPTY >
<!ATTLIST taskend
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
extrainfo CDATA #IMPLIED
>

<!-- 
     this element is started in nmap.c:nmap_main() and filled by
     output.c:write_host_status(), output.c:printportoutput(), and
     output.c:printosscanoutput()
-->
<!ELEMENT host ( status, address , (address | hostnames |
                          smurf | ports | os | distance | uptime | 
                          tcpsequence | ipidsequence | tcptssequence |
                          hostscript | trace)*, times ) >
<!ATTLIST host
starttime %attr_numeric; #IMPLIED
endtime %attr_numeric; #IMPLIED
>

<!-- these elements are written by output.c:write_xml_initial_hostinfo() -->
<!ELEMENT status EMPTY >
<!ATTLIST status state %host_states; #REQUIRED 
  reason CDATA #REQUIRED 
 >

<!ELEMENT address EMPTY >
<!ATTLIST address
addr %attr_ipaddr; #REQUIRED
addrtype %attr_type; "ipv4"
vendor CDATA #IMPLIED
>

<!ELEMENT hostnames (hostname)* >
<!ELEMENT hostname EMPTY >
<!ATTLIST hostname
name CDATA #IMPLIED
type %hostname_types; #IMPLIED
>


<!-- this element is written by output.c:write_host_status() -->
<!ELEMENT smurf EMPTY >
<!ATTLIST smurf responses %attr_numeric; #REQUIRED >

<!-- these elements are written by output.c:printportoutput() -->

<!ELEMENT ports (extraports* , port*) >

<!ELEMENT extraports (extrareasons)* >
<!ATTLIST extraports
state %port_states; #REQUIRED
count %attr_numeric;  #REQUIRED
>

<!ELEMENT extrareasons EMPTY >
<!ATTLIST extrareasons
reason CDATA #REQUIRED
count CDATA #REQUIRED
>

<!ELEMENT port (state , owner? , service?, script*) >
<!ATTLIST port
protocol %port_protocols; #REQUIRED
portid %attr_numeric; #REQUIRED
>

<!ELEMENT state EMPTY >
<!ATTLIST state
state %port_states; #REQUIRED 
reason CDATA #REQUIRED
reason_ttl CDATA #REQUIRED
reason_ip CDATA #IMPLIED
>

<!ELEMENT owner EMPTY >
<!ATTLIST owner name CDATA #REQUIRED >

<!ELEMENT service EMPTY >
<!ATTLIST service
name CDATA #REQUIRED
conf %service_confs; #REQUIRED
                        method          (table|detection|probed) #REQUIRED
                        version         CDATA           #IMPLIED
                        product         CDATA           #IMPLIED
                        extrainfo       CDATA           #IMPLIED
tunnel (ssl) #IMPLIED
proto (rpc) #IMPLIED
rpcnum %attr_numeric; #IMPLIED
lowver %attr_numeric; #IMPLIED
highver %attr_numeric; #IMPLIED
                        hostname        CDATA           #IMPLIED
                        ostype          CDATA           #IMPLIED
                        devicetype      CDATA           #IMPLIED
                        servicefp       CDATA           #IMPLIED
>

<!ELEMENT script EMPTY >
<!ATTLIST script
id CDATA #REQUIRED
output CDATA #REQUIRED
>

<!ELEMENT os ( portused* , osclass*, osmatch*, osfingerprint* ) >

<!ELEMENT portused EMPTY >
<!ATTLIST portused
state  %port_states; #REQUIRED
proto  %port_protocols; #REQUIRED
portid  %attr_numeric; #REQUIRED
>
<!ELEMENT osclass      EMPTY >
<!ATTLIST osclass
                       vendor          CDATA           #REQUIRED
                       osgen           CDATA           #IMPLIED
                       type            CDATA           #IMPLIED
                       accuracy        CDATA           #REQUIRED
                       osfamily        CDATA           #REQUIRED
>


<!ELEMENT osmatch EMPTY >
<!ATTLIST osmatch
name CDATA #REQUIRED
accuracy %attr_numeric; #REQUIRED
line     %attr_numeric; #REQUIRED
>

<!ELEMENT osfingerprint EMPTY >
<!ATTLIST osfingerprint
fingerprint CDATA #REQUIRED
>

<!ELEMENT distance EMPTY >
<!ATTLIST distance
value %attr_numeric; #REQUIRED
>

<!ELEMENT uptime EMPTY >
<!ATTLIST uptime
seconds %attr_numeric; #REQUIRED
lastboot CDATA #IMPLIED
>

<!ELEMENT tcpsequence EMPTY >
<!ATTLIST tcpsequence
index %attr_numeric; #REQUIRED
difficulty CDATA #REQUIRED
values CDATA #REQUIRED
>

<!ELEMENT ipidsequence EMPTY >
<!ATTLIST ipidsequence
class CDATA #REQUIRED
values CDATA #REQUIRED
>

<!ELEMENT tcptssequence EMPTY >
<!ATTLIST tcptssequence
class CDATA #REQUIRED
values CDATA #IMPLIED
>

<!ELEMENT trace (hop*, error?) >
<!ATTLIST trace
      proto   CDATA   #REQUIRED
      port    CDATA   #REQUIRED
>

<!ELEMENT hop EMPTY>
<!ATTLIST hop
      ttl     CDATA   #REQUIRED
      rtt     CDATA   #IMPLIED
      ipaddr  CDATA   #IMPLIED
      host    CDATA   #IMPLIED
>

<!ELEMENT error EMPTY>
<!ATTLIST error
     errorstr   CDATA #IMPLIED
>

<!ELEMENT times EMPTY>
<!ATTLIST times
srtt CDATA #REQUIRED
rttvar CDATA #REQUIRED
to CDATA #REQUIRED
>

<!-- these elements are generated in output.c:printfinaloutput() -->
<!ELEMENT runstats (finished, hosts) >

<!ELEMENT finished EMPTY >
<!ATTLIST finished time %attr_numeric; #REQUIRED 
                        timestr CDATA         #IMPLIED
>

<!ELEMENT hosts EMPTY >
<!ATTLIST hosts
up %attr_numeric; "0"
down %attr_numeric; "0"
total %attr_numeric; #REQUIRED
>

<!ELEMENT hostscript ( script+ )>


Prev Up Next
Appendix A. Nmap XML Output DTD Home Index
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]