Hi Jay,

I like the suggestion and i think your logic on how to handle the flags
is what i would expect.
To me the main use for this feature is doing things like nmap -p-
--exlude 9100 or nmap -p1-1000 --exclude 9. So i would be against
making this an error.

Yes you have explained things well and obviously thought about it a lot
more then me. All the usage patterns you have describe seem logical to me

Thanks John

Jay,
I agree--exclude should take priority over include.
Yes.
I don't think this is necessary, because it will involve retooling the
portspec parsing code. It can be added later; perhaps a TODO comment in the
code would be sufficient. On the other hand, I lean against warnings of any
kind involving port exclusions because the user should be able to figure it
out (except for 10
This now becomes the same as (b)
This is probably the exact same code path as (a)
Same as (b)
Yes.

A couple more:

(g) "-p 20-30 --exclude-ports 80-90" (disjoint) should probably cause no
warning, since the ports will not be scanned, just as requested.

(h) "-sSU -p 80 --exclude-ports U:80" should cause an error, because there
are no UDP ports available to scan, but the user requested a UDP scan.
Obviously this means that --exclude-ports should take the same format as -p
I tend to think the opposite: --top-ports 2 --exclude-ports 80 should only
scan port 23, not 23 and 443, since --top-ports 2 would not normally scan
443. But I am willing to be persuaded by use cases for the other way
around. You will have to be careful of edge cases: --top-ports 65535
--exclude-ports 1-10 will not scan 65535 ports.
Yes, additionally it should take T: and U: and the other modifiers. This
probably means just reusing the existing parser (getpts in nmap.cc).
I would not advocate for a 1-letter flag, but perhaps we should consider
what long option name gets used. The functions that handle this kind of
parsing and choosing are also used for the IP Protocol scan (-sO), so it
could fairly be called --exclude-protos. We don't have this problem with -p
simply because it is a 1-letter option. Suggestions, anyone?

Dan

List,
I guess I completely scrap the idea of warnings then. We could just make
the documentation very clear, and this should be enough.


There is some confusion with respect to point number 2 in my original mail.
Initially, the biggest reason I thought that we should scan exactly N
ports for "--top-ports N --exclude-ports A,B,C" in all cases (except for
edge cases) is that it reads more naturally (at least to me).
However, as I thought about it, I came up with a use case [1] that
clearly illustrates the reason we should keep it with exactly N ports.
I also decided that I could ask some folks as to what the command really
reads as [2].
I'm not so sure, but how about --exclude-p ? This basically comes from
the reasoning that we use --exclude for hosts since hosts have no option
name before them, so we use --exclude-p for the things that have -p
before them.
This could be quite debatable actually, but it is a triviality in
relation to the rest of the code. I will code in the option as
--exclude-ports for now (only because of the subject of the thread), but
we could decide the exact name anytime later before we commit it.


Cheers,
Jay

References/Links:
[1] Hypothetical Scenario: If I am a network admin who scans my network
daily (thoroughly) and hourly (just for top ports) to see if any
services/ports have opened up inadvertently/maliciously. I would have a
limited time span for which I can run the hourly scan and my top-ports
number is limited by this. I would have written a script that runs
"--top-ports N" and would look for any new additions that pop up. Now
that an exclude-ports option is there in Nmap, I'd just add all the
ports that I know to be open (since I know which services I've
installed) to the exclude-ports list and make the script run with a
"--exclude-ports A,B,C" tagged along (to be able to scan more ports that
should not be open in the same amount of time). Now, due to some new
software that I have installed, there is a new port opened. Then I'd add
a ",D" to the list and be done with it. This would basically scan the
same number of ports but would actually be a more informative scan. On
the other hand, if I had to make it "--top-ports N+4 --exclude-ports
A,B,C,D" then I had to either waste time checking that D is actually in
the top ports list (and then change to N+4) or I would forget about
changing it to N+4 which basically means that the time taken by the scan
is lesser (and time that could've been used to check for one more rogue
service goes to waste).
[2]
http://english.stackexchange.com/questions/177252/how-to-interpret-top-n-except-a-b-c