[Snort-users] IP Addresses in Database tables

roman at ...438... roman at ...438...
Fri Jun 1 13:01:45 EDT 2001

There are currently 10 fields which are used to redundently 
represent IP address in the "iphdr" table.

"ip_src, ip_dst": the 32-bit unsigned integer representation
of the IP address

(I believe this is what you mean by "hashes".  Use bit operations
to extract an IP address in dotted notation

Assume: a.b.c.d

a = (ip_src AND FF000000) >> 24
b = (ip_src AND 00FF0000) >> 16
c = (ip_src AND 0000FF00) >> 8
d = (ip_src AND 000000FF)

ip_src0, ... ip_src3; ip_dst0 .. ip_dst3: 4 octets of the
IP address.
( source address = ip_src0 . ip_src1 . ip_src2 . ip_src3 )

Please note that in future versions of the database plug-in, the 
4 octet representation will be removed.


> How are IP addresses "hash" when they are insert into a database.  I have
> snort logging to Oracle and I want to decode the IP address that I see in
> the table.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list