mailing list archives
Re: suitability of java for vulnerability scanners
From: "Max" <maxs () webwizarddesign com>
Date: Fri, 19 Mar 2004 14:20:46 +0500
On Fri, 19 Mar 2004 03:39:52 PST, alan donald wrote:
I wanted to know why java is not used to make
softwares like nessus or nmap. Is it because it may
not have the ability to make packets. Is there any
such library(and to what extent can it be used) that
can be leveraged in java which can help make a
software like those mentioned above.
Plus I have not seen java being used for such
softwares. Rather C or perl seems to be a more common
option. Can you shed some light on this too.
The problems with java for this kind of project, in
my opinion, are three-fold. Architecture
independence, start up speed, and resource usage are the
three big drawbacks I see for using it for a tool
Java attempts to have as few machine/architecture
dependent features as possible (as you know), so
doing systems programming with it is a lot more work
than with C or perl or python or ruby or C++ :) ..
many things that can be done with a direct system
call in the above languages require numerous lines
to get to in Java, and others would even require JNI glue
to be written to be done.
Yes, jdk 1.4+ now has UDP/TCP packet handling
(UDP was added recently), but I don't think IP
packets can be custom-crafted with java yet.
Startup time. Even though Java bytecode can run
nearly as fast as native C/C++ with a good JIT
compiler, the startup time for java/JVM still
sucks :P in my opinion .. so for programs that
only run for a minute or two, waiting 15-30 seconds
for a program to start is a disincentive in my opinion.
Resource usage. A JVM generally uses significantly more
memory than does an instance of the perl interpreter
or a C/C++ compiled binary.
There is an NNM written in java, several in
fact, and java does well there (long running processes),
but from my experience I still think that most machines
are not fast enough to make Java a language that
is good for a command-line tool like nmap.
NmapFE in java .. that would be cool :).
Just my opinions. Architecture-wise, I think java
would be a good choice for nmap. Once we all have 5 GHz
machines with 2 GB+ memory :P I think Java will deserve a
second look for writing command-line tools, though even
then I would rather use jython (www.jython.org) than pure Java!
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org