Nmap Development mailing list archives
Re: suitability of java for vulnerability scanners
From: "Max" <maxs () webwizarddesign com>
Date: Fri, 19 Mar 2004 14:20:46 +0500
Alan, On Fri, 19 Mar 2004 03:39:52 PST, alan donald wrote:
I wanted to know why java is not used to make softwares like nessus or nmap. Is it because it may not have the ability to make packets. Is there any such library(and to what extent can it be used) that can be leveraged in java which can help make a software like those mentioned above. Plus I have not seen java being used for such softwares. Rather C or perl seems to be a more common option. Can you shed some light on this too.
The problems with java for this kind of project, in my opinion, are three-fold. Architecture independence, start up speed, and resource usage are the three big drawbacks I see for using it for a tool like nmap. Java attempts to have as few machine/architecture dependent features as possible (as you know), so doing systems programming with it is a lot more work than with C or perl or python or ruby or C++ :) .. many things that can be done with a direct system call in the above languages require numerous lines to get to in Java, and others would even require JNI glue to be written to be done. Yes, jdk 1.4+ now has UDP/TCP packet handling (UDP was added recently), but I don't think IP packets can be custom-crafted with java yet. Startup time. Even though Java bytecode can run nearly as fast as native C/C++ with a good JIT compiler, the startup time for java/JVM still sucks :P in my opinion .. so for programs that only run for a minute or two, waiting 15-30 seconds for a program to start is a disincentive in my opinion. Resource usage. A JVM generally uses significantly more memory than does an instance of the perl interpreter or a C/C++ compiled binary. There is an NNM written in java, several in fact, and java does well there (long running processes), but from my experience I still think that most machines are not fast enough to make Java a language that is good for a command-line tool like nmap. NmapFE in java .. that would be cool :). Just my opinions. Architecture-wise, I think java would be a good choice for nmap. Once we all have 5 GHz machines with 2 GB+ memory :P I think Java will deserve a second look for writing command-line tools, though even then I would rather use jython (www.jython.org) than pure Java! Regards, Max --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- suitability of java for vulnerability scanners alan donald (Mar 19)
- <Possible follow-ups>
- Re: suitability of java for vulnerability scanners Max (Mar 19)