Re: suitability of java for vulnerability scanners

["Max" <maxs () webwizarddesign com>]

Alan,

On Fri, 19 Mar 2004 03:39:52 PST, alan donald wrote:
> I wanted to know why java is not used to make
> softwares like nessus or nmap. Is it because it may
> not have the ability to make packets. Is there any
> such library(and to what extent can it be used) that
> can be leveraged in java which can help make a
> software like those mentioned above. 
>
> Plus I have not seen java being used for such
> softwares. Rather C or perl seems to be a more common
> option. Can you shed  some light on this too. 
 
    The problems with java for this kind of project, in
    my opinion, are three-fold.  Architecture
    independence, start up speed, and resource usage are the 
    three big drawbacks I see for using it for a tool
    like nmap.
  
    Java attempts to have as few machine/architecture 
    dependent features as possible (as you know), so
    doing systems programming with it is a lot more work 
    than with C or perl or python or ruby or C++ :) ..
    many things that can be done with a direct system
    call in the above languages require numerous lines 
    to get to in Java, and others would even require JNI glue
    to be written to be done.

    Yes, jdk 1.4+ now has UDP/TCP packet handling
    (UDP was added recently), but I don't think IP
    packets can be custom-crafted with java yet.

    Startup time.  Even though Java bytecode can run 
    nearly as fast as native C/C++ with a good JIT
    compiler, the startup time for java/JVM still
    sucks :P in my opinion .. so for programs that 
    only run for a minute or two, waiting 15-30 seconds 
    for a program to start is a disincentive in my opinion.

    Resource usage.  A JVM generally uses significantly more
    memory than does an instance of the perl interpreter
    or a C/C++ compiled binary.

    There is an NNM written in java, several in
    fact, and java does well there (long running processes), 
    but from my experience I still think that most machines
    are not fast enough to make Java a language that
    is good for a command-line tool like nmap.

    NmapFE in java .. that would be cool :).

    Just my opinions.  Architecture-wise, I think java 
    would be a good choice for nmap.  Once we all have 5 GHz
    machines with 2 GB+ memory :P I think Java will deserve a 
    second look for writing command-line tools, though even
    then I would rather use jython (www.jython.org) than pure Java!

Regards,
Max

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org