subnet() function

[jelu]

Ref #12 f0a0a66

[kdrenard]

I think this would be very useful. I have done my own implementation as a new field [masking done in IP_header::decode()] and as a function over a existing field [masking done in new Netmask_func()]. The new-field approach performs slightly better because it can operate immediately on the raw address bytes instead of requiring pton()/ntop(), but it's not a large difference. For a somewhat large PCAP with 14.5M dns messages:

SELECT dst_addr FROM dns:                     11.5 sec     # Original code, no new field
SELECT dst_subnet FROM dns;                   10.6 sec(*)  # Subnet as new field
SELECT netmask (dst_addr, 24, 48) FROM dns;   15.3 sec     # Subnet as output of function

Initially, I thought there would be functionality differences between these two approaches, but I cannot seem to recall them. I can happily do things like :

SELECT netmask(src_addr, 24, 48) as src_subnet, COUNT(*) as count GROUP BY src_subnet ORDER BY count DESC;

Can anyone think of advantages or disadvantages to either approach? The function approach seems slightly more intuitive to me. I would be happy to clean up my code and contribute. Any guidance (such as calling it "subnet" or "netmask" or ??) would be appreciated.

(*) I"m guessing that the zero-compression in IPv6 address subnets leads to a reduction in I/O and the net drop in run time

[jelu]

I'd be happy to review the code!

Some of the difference in doing a new field is that there will be a fixed mask for all addresses and it won't be as easy to change as it would be with a function. Another is that a new field will add more memory usage for everyone.