Radium correlation

Chris Wakelin c.d.wakelin at reading.ac.uk
Mon Jun 20 12:10:57 EDT 2011


On 20/06/11 16:35, Carter Bullard wrote:
> Hey Chris,
> Sorry for the delayed response.  I'm not sure why, but I missed it.
> 
> OK, yes, we have versions of radium and other clients that perform these correlations,
> but this has not yet been released, so it hasn't made it yet in the distribution. 
> This is really experimental, but if you are interested in trying it out, I can make it
> available.  It requires a lot of support in the clients, like how to print out the differential
> statistics from the correlated flow records, sort them, graphing, simple things like
> just indicating that correlations are in the flow records etc.... 
> 

I was sort of expecting it to just discard one of them if it was
duplicated; pretty much record from "srcid y" if and only if the same
flow doesn't exist in "srcid x". Of course, keeping track of which
sources saw the traffic would be nicer!

> If this is of interest, we should start a thread on the list to get the whole concepts out there.
> 
> The argus support for reading two interfaces at the same time etc.... is definitely
> suppose to be working, so that is bug if its not working for you.  What was the issue?

I tried something like:

ARGUS_INTERFACE=ind:eth1/xxx.xxx.xxx.xxx,eth2/yyy.yyy.yyy.yyy

(where xxx.xxx.xxx.xxx and yyyy.yyyy.yyyy.yyyy are IP addresses used by
our switches) and got:

> argus[14144]: 20 Jun 11 17:02:31.221574 started
> argus[14144]: 20 Jun 11 17:02:31.288588 ArgusGetInterfaceStatus: interface eth2 is up
> argus[14144]: 20 Jun 11 17:02:31.295615 ArgusOpenInterface: pcap_open_live eth1: You don't have permission to capture on that device (socket: Operation not permitted)

I've been using PF_RING-enabled libpcap-1.1.1, but this happens even
with the vanilla libpcap-0.8 that comes with Ubuntu 10.04.

It works if I just specify one of eth1 or eth2. There could conceivably
be some OS-level restriction I suppose ...

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094



More information about the argus mailing list