This is the DTD for nmap's XML output (-oX) format.
     Tested against nmap-2.54BETA29
     $Id: nmap.dtd,v 1.1 2004/02/28 01:22:08 mmanno Exp $

     William McVey 
     Until officially adopted as a part of the nmap distribution, the latest
     version of this DTD can be found linked off:

     To validate using this file, simply add a DOCTYPE line similar to:
     <!DOCTYPE nmaprun SYSTEM "nmap.dtd">
     to the nmap output immediately below the prologue (the first line).  This
     should allow you to run a validating parser against the output (so long
     as the dtd is in your parser's dtd search path).

     Most of the elements are "locked" into the specific order that nmap
     generates, when there really is no need for a specific ordering.
     This is primarily because I don't know the xml DTD construct to
     specify "one each of this list of elements, in any order".  If there
     is a construct similar to SGML's '&' operator, please let me know.

     Since the work to write this DTD was done as part of my
     job duties for the Cisco Secure Consulting Services group
     (http://www.cisco.com/go/securityconsulting), the following copyright 
     needs to be included in this and any other derived works.

#   Copyright (c) 2001 by Cisco systems, Inc.
#   Permission to use, copy, modify, and distribute modified and
#   unmodified copies of this software for any purpose and without fee is
#   hereby granted, provided that (a) this copyright and permission notice
#   appear on all copies of the software and supporting documentation, (b)
#   the name of Cisco Systems, Inc. not be used in advertising or
#   publicity pertaining to distribution of the program without specific
#   prior permission, and (c) notice be given in supporting documentation
#   that use, modification, copying and distribution is by permission of
#   Cisco Systems, Inc.
#   Cisco Systems, Inc. makes no representations about the suitability
#   of this software for any purpose.  THIS SOFTWARE IS PROVIDED ``AS


<!-- parameter entities to specify common "types" used elsewhere in the DTD -->
<!ENTITY % attr_numeric "CDATA" >
<!ENTITY % attr_ipaddr "CDATA" >
<!ENTITY % attr_numeric "CDATA" >

<!ENTITY % host_states "(up|down|unknown|skipped)" >

<!-- see: nmap.c:statenum2str for list of port states -->
<!ENTITY % port_states "(open|closed|filtered|UNfiltered|unknown)" >

<!ENTITY % hostname_types "(PTR)" >

<!-- see output.c:output_xml_scaninfo_records for scan types -->
<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|ipproto)" >

<!ENTITY % ip_versions "(ipv4)" >

<!ENTITY % port_protocols "(ip|tcp|udp)" >

<!-- I don't know exactly what these are, but the values were enumerated via:
     grep "conf=" *
<!ENTITY % service_confs  "( 3 | 5 | 10)" >

<!-- This element was started in nmap.c:nmap_main().
     It represents to the topmost element of the output document.
<!ELEMENT nmaprun      (scaninfo?, verbose, debugging, host*, runstats?) >
<!ATTLIST nmaprun
			scanner		(nmap)		#REQUIRED
			args		CDATA		#IMPLIED
			start		%attr_numeric;	#IMPLIED
			version		CDATA		#REQUIRED
			xmloutputversion (1.0)		#REQUIRED

<!-- this element is written in output.c:doscaninfo() -->
<!ELEMENT scaninfo	EMPTY >
<!ATTLIST scaninfo
			type		%scan_types;	#REQUIRED
			protocol	%port_protocols; #REQUIRED
			numservices	%attr_numeric;	#REQUIRED
			services	CDATA		#REQUIRED

<!-- these elements are written in nmap.c:nmap_main() -->
<!ELEMENT verbose	EMPTY >
<!ATTLIST verbose	level		%attr_numeric;	#IMPLIED >

<!ELEMENT debugging 	EMPTY >
<!ATTLIST debugging	level		%attr_numeric;	#IMPLIED >

     this element is started in nmap.c:nmap_main() and filled by
     output.c:write_host_status(), output.c:printportoutput(), and
<!ELEMENT host		( ( status | address )+ , ( hostnames | smurf | ports | addport | os | uptime | tcpsequence | ipidsequence | tcptssequence )* ) >

<!-- these elements are written by output.c:write_xml_initial_hostinfo() -->
<!ELEMENT status	EMPTY >
<!ATTLIST status	state		%host_states;	#REQUIRED >

<!ELEMENT address	EMPTY >
<!ATTLIST address	
			addr		%attr_ipaddr;	#REQUIRED
			addrtype	%ip_versions;	"ipv4"

<!ELEMENT hostnames	(hostname)* >
<!ELEMENT hostname	EMPTY >
<!ATTLIST hostname
			name		CDATA		#IMPLIED
			type		%hostname_types; #IMPLIED

<!-- this element are written by output.c:write_host_status() -->
<!ELEMENT smurf		EMPTY >
<!ATTLIST smurf		responses	%attr_numeric;	#REQUIRED >

<!-- this element are written by portlist.cc:addport() -->
<!ELEMENT addport         EMPTY >
<!ATTLIST addport         
                        state           %port_states;    #REQUIRED
                        owner           CDATA            #IMPLIED
                        portid          %attr_numeric;   #REQUIRED
                        protocol        %port_protocols; #REQUIRED

<!-- these elements are written by output.c:printportoutput() -->

<!ELEMENT ports		(extraports? , port*) >

<!ELEMENT extraports	EMPTY >
<!ATTLIST extraports
			state		%port_states;	#REQUIRED
			count		%attr_numeric;	"closed"

<!ELEMENT port		(state , owner? , service? ) >
<!ATTLIST port
			protocol	%port_protocols;	#REQUIRED
			portid		%attr_numeric;	#REQUIRED

<!ELEMENT state		EMPTY >
<!ATTLIST state		state		%port_states;	#REQUIRED >

<!ELEMENT owner		EMPTY >
<!ATTLIST owner		name		CDATA		#REQUIRED >

<!ELEMENT service	EMPTY >
<!ATTLIST service
			conf		%service_confs;	#REQUIRED
                        method          (table|detection|probed) #REQUIRED
                        version         CDATA           #IMPLIED
                        product         CDATA           #IMPLIED
                        extrainfo       CDATA           #IMPLIED
			proto		(rpc)		#IMPLIED
			rpcnum		%attr_numeric;	#IMPLIED
			lowver		%attr_numeric;	#IMPLIED
			highver		%attr_numeric;	#IMPLIED

<!-- these elements are written by output.c: printosscanoutput() -->

<!ELEMENT os		( portused* , osclass*, osmatch* ) >

<!ELEMENT portused	EMPTY >
<!ATTLIST portused
			state 		%port_states;	#REQUIRED
			proto 		%port_protocols; #REQUIRED
			portid 		%attr_numeric;	#REQUIRED
<!ELEMENT osclass      EMPTY >
<!ATTLIST osclass
                       vendor          CDATA           #REQUIRED
                       osgen           CDATA           #IMPLIED
                       type            CDATA           #IMPLIED
                       accuracy        CDATA           #REQUIRED
                       osfamily        CDATA           #REQUIRED

<!ELEMENT osmatch	EMPTY >
<!ATTLIST osmatch
			accuracy	%attr_numeric;	#REQUIRED

<!ELEMENT uptime	EMPTY >
<!ATTLIST uptime
			seconds		%attr_numeric;	#REQUIRED
			lastboot	CDATA		#IMPLIED

<!ELEMENT tcpsequence	EMPTY >
<!ATTLIST tcpsequence
			index		%attr_numeric;	#REQUIRED
			class		CDATA		#REQUIRED
			difficulty	CDATA		#REQUIRED
			values		CDATA		#REQUIRED

<!ELEMENT ipidsequence	EMPTY >
<!ATTLIST ipidsequence
			class		CDATA		#REQUIRED
			values		CDATA		#REQUIRED

<!ELEMENT tcptssequence	EMPTY >
<!ATTLIST tcptssequence
			class		CDATA		#REQUIRED
			values		CDATA		#IMPLIED

<!-- these elements are generated in output.c:printfinaloutput() -->
<!ELEMENT runstats	(finished, hosts) >

<!ELEMENT finished	EMPTY >
<!ATTLIST finished	time		%attr_numeric;	#REQUIRED >

<!ELEMENT hosts		EMPTY >
<!ATTLIST hosts
			up		%attr_numeric;	"0"
			down		%attr_numeric;	"0"
			skipped		%attr_numeric;	"0"
			total		%attr_numeric;	#REQUIRED