Radium correlation

Carter Bullard carter at qosient.com
Mon Jun 20 11:35:39 EDT 2011 

Hey Chris,
Sorry for the delayed response.  I'm not sure why, but I missed it.

OK, yes, we have versions of radium and other clients that perform these correlations,
but this has not yet been released, so it hasn't made it yet in the distribution. 
This is really experimental, but if you are interested in trying it out, I can make it
available.  It requires a lot of support in the clients, like how to print out the differential
statistics from the correlated flow records, sort them, graphing, simple things like
just indicating that correlations are in the flow records etc.... 

If this is of interest, we should start a thread on the list to get the whole concepts out there.

The argus support for reading two interfaces at the same time etc.... is definitely
suppose to be working, so that is bug if its not working for you.  What was the issue?

Carter

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Jun 10, 2011, at 6:43 PM, Chris Wakelin wrote:

> Hi,
> 
> I've got a network sensor with two network streams, on different
> interfaces, from two different places on the network. The majority of
> traffic will actually get seen by both.
> 
> I see in the radium.conf(5) man page that there's supposed to be a
> "RADIUM_CORRELATE" option which would match streams from two (or more?)
> sources and store flows only once were they were duplicated in the
> streams. However, it doesn't seem to work, and I can't see anything in
> "radium.c" (or the sample radium.conf file) to suggest it exists. Did
> this functionality get removed at some point?
> 
> I see also that "argus" itself ought to be able to listen on both
> interfaces at once (though I couldn't get that to work either). Is there
> a benefit in using "radium" combining two instances of "argus" rather
> than this?
> 
> Best Wishes,
> Chris
> 
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110620/d7a1f897/attachment.bin>

More information about the argus mailing list