[Snort-users] IP Header Data Type Preference
Paul B. Poh
paul at ...6438...
Fri May 16 14:14:06 EDT 2003
I personally prefer to use an INT. It's a tiny bit more efficient as far
as disk usage. And it's allow a bit more efficient to index and sort on.
In general, I believe it's better practice to store the actual data type.
The dotted notation is simply a human-convinience of the actual 32bit ip
address. For example, 126.96.36.199 is actually the four octets that
translate to C0:A8:05:32 and C0A80532 is hex for 3232236850 (the decimal
This link contains a nice simple useful ip address converter for the
math impaired :-)
David Markle wrote:
> I need some advice on IP Header Data types with a database, say MySQL. The
> MySQL snort database defines IP address information as INT (integer) (i.e.
> ip_src/ip_dst in the iphdr table). Is there a computational benefit to this
> within the database or does it really matter.
> For example, I could define ip_src (source IP Address) as CHAR(15) rather
> than INT. This would preserve the quad dotted notation in the address. The
> INT definition does not preserve this. I guess this is my problem. If the
> field does not preserve the dotted notation, how is it addressed in
> processing ??? Short uses INT field definitions for ip_src and ip_dst in
> the iphdr table. How is it ultimately references as xxx.xxx.xxx.xxx after
> its placed into the database ???
> Thanks in advance.
More information about the Snort-users