[Snort-users] IP Header Data Type Preference
Michael L. Artz
dragon at ...8731...
Sun May 18 14:53:07 EDT 2003
A CHAR(15) will take up about 15 bytes (or at least 8 with a VARCHAR - 3
bytes for the dots, min 4 bytes for the quads, and 1 byte to hold the
length), whereas a comparable INT will only take up 4 bytes. Plus, you
can perform all sorts of manipulation on the int within the database
(i.e. is it between two other ints) that you can't do on the string.
As to how it is referenced in ACID, you should probably take a look at
the php (I haven't). In Perl, you could do a pretty simply pack/unpack
operation on the int, or do the whole 'mask and shift right' idiom. Not
too tricky, just needs to be done in application space, as opposed to
I know that you asked about MySQL, but Postgres has an 'inet' type that
makes storing and querying IP addresses pretty easy. It is 12 bytes,
but can also store the cidr network that the IP is contained in, plus
comes with several handy functions for manipulation.
David Markle wrote:
>I need some advice on IP Header Data types with a database, say MySQL. The
>MySQL snort database defines IP address information as INT (integer) (i.e.
>ip_src/ip_dst in the iphdr table). Is there a computational benefit to this
>within the database or does it really matter.
>For example, I could define ip_src (source IP Address) as CHAR(15) rather
>than INT. This would preserve the quad dotted notation in the address. The
>INT definition does not preserve this. I guess this is my problem. If the
>field does not preserve the dotted notation, how is it addressed in
>processing ??? Short uses INT field definitions for ip_src and ip_dst in
>the iphdr table. How is it ultimately references as xxx.xxx.xxx.xxx after
>its placed into the database ???
>Thanks in advance.
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users