[Snort-users] IP Header Data Type Preference

Michael L. Artz dragon at ...8731...
Sun May 18 14:53:07 EDT 2003

A CHAR(15) will take up about 15 bytes (or at least 8 with a VARCHAR - 3 
bytes for the dots, min 4 bytes for the quads, and 1 byte to hold the 
length), whereas a comparable INT will only take up 4 bytes.  Plus, you 
can perform all sorts of manipulation on the int within the database 
(i.e. is it between two other ints) that you can't do on the string.

As to how it is referenced in ACID, you should probably take a look at 
the php (I haven't).  In Perl, you could do a pretty simply pack/unpack 
operation on the int, or do the whole 'mask and shift right' idiom.  Not 
too tricky, just needs to be done in application space, as opposed to 
database space.

I know that you asked about MySQL, but Postgres has an 'inet' type that 
makes storing and querying IP addresses pretty easy.   It is 12 bytes, 
but can also store the cidr network that the IP is contained in, plus 
comes with several handy functions for manipulation.


David Markle wrote:

>I need some advice on IP Header Data types with a database, say MySQL.  The
>MySQL snort database defines IP address information as INT (integer) (i.e.
>ip_src/ip_dst in the iphdr table).  Is there a computational benefit to this
>within the database or does it really matter.
>For example, I could define ip_src (source IP Address) as CHAR(15) rather
>than INT.  This would preserve the quad dotted notation in the address.  The
>INT definition does not preserve this.  I guess this is my problem.  If the
>field does not preserve the dotted notation, how is it addressed in
>processing ???   Short uses INT field definitions for ip_src and ip_dst in
>the iphdr table.  How is it ultimately references as xxx.xxx.xxx.xxx after
>its placed into the database ???
>Thanks in advance.
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list