[Snort-users] IP Header Data Type Preference

Paul B. Poh paul at ...6438...
Fri May 16 14:14:06 EDT 2003


I personally prefer to use an INT. It's a tiny bit more efficient as far 
as disk usage. And it's allow a bit more efficient to index and sort on.

In general, I believe it's better practice to store the actual data type.

The dotted notation is simply a human-convinience of the actual 32bit ip 
address. For example, 192.165.5.50 is actually the four octets that 
translate to C0:A8:05:32 and C0A80532 is hex for 3232236850 (the decimal 
representation).

This link contains a nice simple useful ip address converter for the 
math impaired :-)

http://www.telusplanet.net/public/sparkman/netcalc.htm

Paul.

David Markle wrote:
> I need some advice on IP Header Data types with a database, say MySQL.  The
> MySQL snort database defines IP address information as INT (integer) (i.e.
> ip_src/ip_dst in the iphdr table).  Is there a computational benefit to this
> within the database or does it really matter.
> 
> For example, I could define ip_src (source IP Address) as CHAR(15) rather
> than INT.  This would preserve the quad dotted notation in the address.  The
> INT definition does not preserve this.  I guess this is my problem.  If the
> field does not preserve the dotted notation, how is it addressed in
> processing ???   Short uses INT field definitions for ip_src and ip_dst in
> the iphdr table.  How is it ultimately references as xxx.xxx.xxx.xxx after
> its placed into the database ???
> 
> Thanks in advance.
> 
> dm
> 





More information about the Snort-users mailing list