[Snort-users] Hash function for ip 4-tuple

[Alex Adamos]

Hi,

in order to keep track of flows in my DPX i want to create a hash table, but i don't have any experience in hashing. Can anyone propose any idea how the hash function should be? 

Thanks,

Alex.

[Kiryukhin Andrey]

I'm not professional in that. When i need quick solution, I tried the following method.

( IP1*(2^16) + port1)  xor  ( IP2*(2^16) + port2 )

It is a simple method, and does not guarantee that no conflicts.

This worked for my needs.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[Alex Adamos]

Thanks Andrei, i'll try that!

How do you get the IP? in sfSnortPacket structure its a sfip_t type. Is it done with sfip_to_str and then something like strtol?

---

Date: Mon, 4 Feb 2013 16:19:24 +0400
From: andre...@mail.ru
To: alextha...@hotmail.com
CC: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Hash function for ip 4-tuple

[Bhagya Bantwal]

Alex,

You could use the stream api functions: get_application_data and set_application_data in stream_api.c to set and get any application data per flow.

There are also hash functions in src/sfutil/sfxhash.h which you could use to implement your flow tracking.

Hope that helps.

-B