[Snort-users] unpacking IP follow up

John strgout at ...10330...
Mon Aug 2 09:20:00 EDT 2004

On Sun, Aug 01, 2004 at 09:27:27PM -0400, Don Murdoch wrote:
> 	OH - after I had my senior moment - I did notice from the ACID
> 	page that you can write
> 	"Select inet_ntoa( ip_src ) from iphdr" 
> 	and it does work.  SO ... now that I am totally embarrassed, I 
> 	would still like to know if anyone has a code chunk they can
> 	share which shows how to do this "the hard way".
> 	Much ablidged
> --------------------------------------
> >From the home outbox of ... 
> Don Murdoch, CISSP
> Today's Sun Tzu Quote: "To fight and conquer in all your battles is not
> supreme excellence; supreme excellence consists in breaking the enemy's
> resistance without fighting." -Sun Tzu 

If you want to do this with perl (i would ;) ) here is one way you could do it.

# We only need access to inet_aton and inet_ntoa.
use Socket qw (inet_aton inet_ntoa);
my $int = '167837953';
my $ip = '';
# convert ip (example to 32bit int.
print "Ip in Int form " . unpack( "N", inet_aton($ip) ) . "\n";
# convert 32bit (example 167837953) to ip
print "Ip in IP form " . inet_ntoa( pack("N", $int) ) . "\n";

Then you can always cache the results in hash so that you only call the socket
func 1 time per ip. Should speed things up a bit and let the database
concentrate on database stuff.

Very basic cache check...

my %ipcache;

$ipcache{ $int } = inet_ntoa( pack("N", $int) ) unless defined( $ipcache{ $int } );

Something like that.

More information about the Snort-users mailing list