Snort mailing list archives

Re: IP Header Data Type Preference

From: "Michael L. Artz" <dragon () october29 net>
Date: Sun, 18 May 2003 17:35:40 -0400

A CHAR(15) will take up about 15 bytes (or at least 8 with a VARCHAR - 3bytes for the dots, min 4 bytes for the quads, and 1 byte to hold thelength), whereas a comparable INT will only take up 4 bytes. Plus, youcan perform all sorts of manipulation on the int within the database(i.e. is it between two other ints) that you can't do on the string.

As to how it is referenced in ACID, you should probably take a look atthe php (I haven't). In Perl, you could do a pretty simply pack/unpackoperation on the int, or do the whole 'mask and shift right' idiom. Nottoo tricky, just needs to be done in application space, as opposed todatabase space.

I know that you asked about MySQL, but Postgres has an 'inet' type thatmakes storing and querying IP addresses pretty easy. It is 12 bytes,but can also store the cidr network that the IP is contained in, pluscomes with several handy functions for manipulation.


-Mike

David Markle wrote:

I need some advice on IP Header Data types with a database, say MySQL.  The
MySQL snort database defines IP address information as INT (integer) (i.e.
ip_src/ip_dst in the iphdr table).  Is there a computational benefit to this
within the database or does it really matter.

For example, I could define ip_src (source IP Address) as CHAR(15) rather
than INT.  This would preserve the quad dotted notation in the address.  The
INT definition does not preserve this.  I guess this is my problem.  If the
field does not preserve the dotted notation, how is it addressed in
processing ???   Short uses INT field definitions for ip_src and ip_dst in
the iphdr table.  How is it ultimately references as xxx.xxx.xxx.xxx after
its placed into the database ???

Thanks in advance.

dm



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java

code to make your application fit in a relational database is painful,don't do it! Check out ObjectStore. Now part of Progress Software.

http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Hi, Derek Sherred (May 15)
- Re: Hi, Jason Boykin (May 15)
- Re: Hi, Erek Adams (May 15)
- Re: Hi, David Alonso De La Vega Tapage (May 16)
  - IP Header Data Type Preference David Markle (May 16)
    - Re: IP Header Data Type Preference Paul B. Poh (May 16)
    - Re: IP Header Data Type Preference Brian (May 16)
    - Re: IP Header Data Type Preference Michael L. Artz (May 18)