SANS Digital Forensics and Incident Response Blog

NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline <file-or-:tag>] [-o|-observed <file-or-:tag>]

[-op|-output-ports <ocufx>] [-of|-output-hosts <nmc>]

[-fmt|-format <terse | minimal | verbose | machine | html | htmle>]

Ndiff output may be redirected to a web page:

ndiff —b base-line.txt —o tested.txt —fmt machine | ndiff2html > differences.html

The output file, "differences.html", may be displayed in a web browser. This will separate hosts into three main categories:

  • New Hosts,
  • Missing Hosts, and
  • Changed Hosts.

The baseline file (base-line.txt) should be created as soon as a preliminary network security exercise has locked down the systems and mapped what is in existence. This would be updated based on the change control process. In this, any authorized changes would be added to the "map". Any unauthorized changes or control failures with the change process will stand out as exceptions.

If a new host has appeared on the network map that has not been included in the change process and authorization, it will stand out as an exception. This reduces the volume of testing that needs to be completed.

Further, if a host appears in the "Changed Hosts" section of the report, you know what services have been added. This is again going to come back to a control failure in the change process or an unauthorized change. This unauthorized change could be due to anything from an internal user installing software without thinking or an attacker placing a trojan on the system. This still needs to be investigated, but checking an incident before the damage gets out of hand is always the better option.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial lawand ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.


Posted June 29, 2010 at 8:58 AM | Permalink | Reply

dan appears bogus! http unsupported! No NDIFF! Tried changing user-agent string, and browser emulation''no luck!

Posted June 30, 2010 at 8:20 PM | Permalink | Reply

Craig S Wright

Welcome to the web. Try Google, what is correct at time of writing can easily change. A simple Google search has supplied several alternatives:

Posted July 8, 2010 at 6:09 PM | Permalink | Reply

Ed Davison

Or, you can ''
Check the Wayback Machine:
Check the nmap site: