XML Format (-oX <logfilename>)
Extensible Markup Language (XML) is a standard method of describing information, and should not be confused with HyperText Markup Language (HTML). HTML focuses on how data is to be displayed, while XML focuses on describing the data. XML is not a language, XML is a way to structure, store, and send information.

XML is a great format to use when additional processing of nmap data is required. The XML format clearly identifies all of the nmap data, creating an output format that can be parsed and understood without any misinterpretations or inconsistencies. The nmap XML Document Type Definition (DTD) information is contained in a separate file available on the nmap web site at http://www.insecure.org/nmap/data/nmap.dtd.


The XML format contains a standard structure of information, but this standard structure is best read by machines. Nmap's man page refers to the XML output format as the "recommended" format when other programs need to interact with nmap's output. Most humans won't be able to easily obtain information from this XML file:
<?xml version="1.0" ?>
<?xml-stylesheet href="http://www.insecure.org/nmap/data/nmap.xsl" type="text/xsl"?>
<!-- nmap 3.81 scan initiated Fri May 20 21:00:50 2005 as: ./nmap -v -sS -oA 
   oA9 192.168.0.9 -->
<nmaprun scanner="nmap" args="./nmap -v -sS -oA oA9 192.168.0.9" start="1116637250" 
   startstr="Fri May 20 21:00:50 2005" version="3.81" xmloutputversion="1.01">
<scaninfo type="syn" protocol="tcp" numservices="1663" services="1-1027,1029-1033,
   1040,1050,1058-1059,1067-1068,1076,1080,1083-1084,1103,1109-1110,1112,1127,1139,
   1155,1178,1212,1214,1220,1222,1234,1241,1248,1337,1346-1381,1383-1552,1600,1650-1652,
   1661-1672,1680,1720,1723,1755,1761-1764,1827,1900,1935,1984,1986-2028,2030,2032-2035,
   2038,2040-2049,2053,2064-2065,2067-2068,2105-2106,2108,2111-2112,2120-2121,2201,2232,
   2241,2301,2307,2401,2430-2433,2500-2501,2564,2600-2605,2627-2628,2638,2766,2784,2809,
   2903,2998,3000-3001,3005-3006,3049,3052,3064,3086,3128,3141,3264,3268-3269,3292,3306,
   3333,3372,3389,3421,3455-3457,3462,3531,3632,3689,3900,3984-3986,3999-4000,4008,4045,
   4132-4133,4144,4224,4321,4333,4343,4444,4480,4500,4557,4559,4660,4672,4899,4987,4998,
   5000-5003,5010-5011,5050,5100-5102,5145,5190-5193,5232,5236,5300-5305,5308,5400,5405,
   5432,5490,5510,5520,5530,5540,5550,5555,5631-5632,5680,5713-5717,5800-5803,5900-5903,
   5977-5979,5997-6009,6017,6050,6101,6103,6105-6106,6110-6112,6141-6148,6346,6400-6401,
   6502,6543-6544,6547-6548,6558,6588,6666-6668,6699,6969,7000-7010,7070,7100,7200-7201,
   7273,7326,7464,7597,8000,8007,8009,8080-8082,8443,8888,8892,9090,9100,9111,9152,9535,
   9876,9991-9992,9999-10000,10005,10082-10083,11371,12000,12345-12346,13701-13702,
   13705-13706,13708-13718,13720-13722,13782-13783,15126,16959,17007,17300,18000,
   18181-18185,18187,19150,20005,22273,22289,22305,22321,22370,26208,27000-27010,27374,
   27665,31337,32770-32780,32786-32787,38037,38292,43188,44334,44442-44443,47557,49400,
   54320,61439-61441,65301" />
<verbose level="1" />
<debugging level="0" />
<host><status state="up" />
<address addr="192.168.0.9" addrtype="ipv4" />
<address addr="00:03:47:6D:28:D7" addrtype="mac" vendor="Intel" />
<hostnames />
<ports><extraports state="closed" count="1654" />
<port protocol="tcp" portid="21"><state state="open" /><service name="ftp"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="22"><state state="open" /><service name="ssh"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="23"><state state="open" /><service name="telnet"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="79"><state state="open" /><service name="finger"
   method="table" conf="3" ></port>
<port protocol="tcp" portid="110"><state state="open" /><service name="pop3"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="111"><state state="open" /><service name="rpcbind"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="514"><state state="open" /><service name="shell"
   method="table" conf="3" /></port>
<port protocol="tcp" portid="886"><state state="open" /></port>
<port protocol="tcp" portid="2049"><state state="open" /><service name="nfs"
   method="table" conf="3" /></port>
</ports>
</host>
<runstats><finished time="1116637261" timestr="Fri May 20 21:01:01 2005"/><hosts 
   up="1" down="0" total="1" />
<!-- Nmap run completed at Fri May 20 21:01:01 2005; 1 IP address (1 host up) scanned in 
   10.950 seconds -->
</runstats></nmaprun>
Fortunately for humans, nmap includes an Extensible Stylesheet Language (XSL) file that assists in translating the XML information into a viewable HTML format. In most cases, the XML file can be opened in any browser to display the translated format:

oA9

After viewing the XML/XSL file output, it should be clear that this format has some obvious advantages. Security managers who have had to previously sift through pages of plain text can appreciate the more practical formatting and clearer output functionality available with the XML output.

clock
Does your nmap output look this good?



Stylesheet (--stylesheet <filename>)
When using the XML output format (-oX), nmap automatically includes a reference to the nmap.xsl file that was included with nmap. Viewing the XML output file in most browsers will automatically load the stylesheet and translate the XML information into HTML format.

There may be cases where another stylesheet would be used to translate the XML information. For example, a security manager may want to change the header of the page to include company information, add logos, or change the colors of the HTML output. If the XML information will be viewed in a report format, this capability can be very beneficial.

The nmap web site always maintains the latest version of the default stylesheet. The --stylesheet option can reference the XSL file at http://www.insecure.org/nmap/data/nmap.xsl, or the option can point to an XSL file on a local device or web server.


No Stylesheet (--no-stylesheet)
There may be occasions where the XML file will be used by another application and not require a conversion to HTML. In these cases, it's more efficient to create the XML file without any references to a stylesheet. This option is only applicable when the XML output format (-oX) is chosen, although nmap will still run without an error if the --no-stylesheet option is used without any reference to XML output.

clock
Unlike other multi-word nmap options, the --no-stylesheet option separates the words with a hypen (-) instead of an underscore (_). Nmap will not recognize this option if an underscore is used.