Saving Nmap Results

Why save? Scans should always be saved for documentation, comparison, and reporting. Nmap offers three distinct formats for different needs.

1. Output Formats

Flag	Extension	Description
-oN	.nmap	Normal. Human-readable, looks exactly like the terminal output.
-oG	.gnmap	Grepable. Single-line format, easy to parse with grep or awk.
-oX	.xml	XML. Structured format for importing into other tools or converting to HTML.
-oA	(All 3)	All Formats. Saves all three simultaneously. (Recommended)

2. The "All-in-One" Command (oA)

The best practice is to use -oA followed by a base filename (e.g., target).

sudo nmap 10.129.2.28 -p- -oA target

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:14 CEST
Nmap scan report for 10.129.2.28
Host is up (0.0091s latency).
Not shown: 65525 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

Verifying Files:

ls

target.gnmap target.xml  target.nmap

3. File Format Examples

A. Normal Output (.nmap)

Exactly what you saw in the terminal.

cat target.nmap

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28
Nmap scan report for 10.129.2.28
Host is up (0.053s latency).
Not shown: 4 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
80/tcp open  http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
# Nmap done at Tue Jun 16 12:15:03 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds

B. Grepable Output (.gnmap)

Information is condensed into single lines for easy text processing.

cat target.gnmap

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28
Host: 10.129.2.28 ()	Status: Up
Host: 10.129.2.28 ()	Ports: 22/open/tcp//ssh///, 25/open/tcp//smtp///, 80/open/tcp//http///	Ignored State: closed (4)
# Nmap done at Tue Jun 16 12:14:53 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds

C. XML Output (.xml)

Machine-readable code structure.

cat target.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
...
<host starttime="12145301719" endtime="12150323493"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="10.129.2.28" addrtype="ipv4"/>
<address addr="DE:AD:00:00:BE:EF" addrtype="mac" vendor="Intel Corporate"/>
...
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port>
...
</nmaprun>

Pro Tip: Creating HTML Reports

XML output is hard for humans to read but excellent for tools. You can use xsltproc to convert your Nmap XML file into a polished HTML report—perfect for showing results to non-technical stakeholders.

xsltproc target.xml -o target.html

Input: target.xml

Output: target.html (Open this file in your web browser).

Saving Cheat Sheet

Flag	Name	Function
-oA <name>	Output All	Saves results in .nmap, .gnmap, and .xml. (Best Practice).
-oN <name>	Normal	Saves results in standard terminal format.
-oG <name>	Grepable	Saves results in easy-to-grep format.
-oX <name>	XML	Saves results in XML format.
xsltproc	Converter	External tool to convert .xml scans into .html reports.

Flag

Extension

Description

-oN

.nmap

Normal. Human-readable, looks exactly like the terminal output.

-oG

.gnmap

Grepable. Single-line format, easy to parse with grep or awk.

-oX

.xml

XML. Structured format for importing into other tools or converting to HTML.

-oA

(All 3)

All Formats. Saves all three simultaneously. (Recommended)

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:14 CEST Nmap scan report for 10.129.2.28 Host is up (0.0091s latency). Not shown: 65525 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http MAC Address: DE:AD:00:00:BE:EF (Intel Corporate) Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28 Nmap scan report for 10.129.2.28 Host is up (0.053s latency). Not shown: 4 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http MAC Address: DE:AD:00:00:BE:EF (Intel Corporate) # Nmap done at Tue Jun 16 12:15:03 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds

# Nmap 7.80 scan initiated Tue Jun 16 12:14:53 2020 as: nmap -p- -oA target 10.129.2.28 Host: 10.129.2.28 () Status: Up Host: 10.129.2.28 () Ports: 22/open/tcp//ssh///, 25/open/tcp//smtp///, 80/open/tcp//http/// Ignored State: closed (4) # Nmap done at Tue Jun 16 12:14:53 2020 -- 1 IP address (1 host up) scanned in 10.22 seconds

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE nmaprun> ... <host starttime="12145301719" endtime="12150323493"><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="10.129.2.28" addrtype="ipv4"/> <address addr="DE:AD:00:00:BE:EF" addrtype="mac" vendor="Intel Corporate"/> ... <port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port> ... </nmaprun>

Flag

Name

Function

-oA <name>

Output All

Saves results in .nmap, .gnmap, and .xml. (Best Practice).

-oN <name>

Normal

Saves results in standard terminal format.

-oG <name>

Grepable

Saves results in easy-to-grep format.

-oX <name>

XML

Saves results in XML format.

xsltproc

Converter

External tool to convert .xml scans into .html reports.