Ndiff is a tool that it can be used to compare two nmap scan files and highlights any changes between them.In order to compare the scans,the files in nmap must be saved in text or xml format.Ndiff will point out the differences between them for easy comparison by using plus and minus signs.

Lets say that we want to compare two scans of a single host.We will use the option -oX and a filename.xml which will save the nmap outputs in a xml file.

Save the results on an XML file – 1st Scan


Save the results on an XML file – 2nd Scan


As we can see from the first scan the host has only two ports open while in the second has 5.Now lets try to compare these two results with the Ndiff.The comparison can be done very easily just by using the command ndiff [filename.xml filename2.xml]

ndiff – Comparison of two nmap scans


The above image illustrates the differences between these two scans that we have conducted on the same host.The plus sign (+) highlights the differences of the second file in relation with the first while the minus (-) sign indicates the differences of the first file in comparison with the second.Specifically in the example above we can see that the port 135,1111 and 3389 have the  plus sign which means that in the second scan these ports were found open while in the first scan these ports were closed.

Alternatively we can use the -v option (verbose mode) which it will display all the output of these two xml files and it will highlight the differences with the plus and minus signs as before.

ndiff verbose mode


Ndiff also provides the ability to produce the results in XML output with the –xml option.This option is useful in cases where we want to import the information from Ndiff into a third party tool that uses this format.

ndiff – xml output