Radium correlation
Chris Wakelin
c.d.wakelin at reading.ac.uk
Fri Jun 10 18:43:22 EDT 2011
Hi,
I've got a network sensor with two network streams, on different
interfaces, from two different places on the network. The majority of
traffic will actually get seen by both.
I see in the radium.conf(5) man page that there's supposed to be a
"RADIUM_CORRELATE" option which would match streams from two (or more?)
sources and store flows only once were they were duplicated in the
streams. However, it doesn't seem to work, and I can't see anything in
"radium.c" (or the sample radium.conf file) to suggest it exists. Did
this functionality get removed at some point?
I see also that "argus" itself ought to be able to listen on both
interfaces at once (though I couldn't get that to work either). Is there
a benefit in using "radium" combining two instances of "argus" rather
than this?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list