[Snort-users] IP Header Data Type Preference

Paul B. Poh paul at ...6438...
Fri May 16 14:14:06 EDT 2003

I personally prefer to use an INT. It's a tiny bit more efficient as far 
as disk usage. And it's allow a bit more efficient to index and sort on.

In general, I believe it's better practice to store the actual data type.

The dotted notation is simply a human-convinience of the actual 32bit ip 
address. For example, is actually the four octets that 
translate to C0:A8:05:32 and C0A80532 is hex for 3232236850 (the decimal 

This link contains a nice simple useful ip address converter for the 
math impaired :-)



David Markle wrote:
> I need some advice on IP Header Data types with a database, say MySQL.  The
> MySQL snort database defines IP address information as INT (integer) (i.e.
> ip_src/ip_dst in the iphdr table).  Is there a computational benefit to this
> within the database or does it really matter.
> For example, I could define ip_src (source IP Address) as CHAR(15) rather
> than INT.  This would preserve the quad dotted notation in the address.  The
> INT definition does not preserve this.  I guess this is my problem.  If the
> field does not preserve the dotted notation, how is it addressed in
> processing ???   Short uses INT field definitions for ip_src and ip_dst in
> the iphdr table.  How is it ultimately references as xxx.xxx.xxx.xxx after
> its placed into the database ???
> Thanks in advance.
> dm

More information about the Snort-users mailing list