Radium correlation

Carter Bullard carter at qosient.com
Mon Jun 20 18:45:40 EDT 2011 

Well that is odd.  Haven't seen anything like that here, on any machine.
So what happens when you have two ARGUS_INTERFACE directives:

ARGUS_INTERFACE=eth1/xxx.xxx.xxx.xxx
ARGUS_INTERFACE=eth2/yyy.yyy.yyy.yyy

Carter


On Jun 20, 2011, at 12:10 PM, Chris Wakelin wrote:

> On 20/06/11 16:35, Carter Bullard wrote:
>> Hey Chris,
>> Sorry for the delayed response.  I'm not sure why, but I missed it.
>> 
>> OK, yes, we have versions of radium and other clients that perform these correlations,
>> but this has not yet been released, so it hasn't made it yet in the distribution. 
>> This is really experimental, but if you are interested in trying it out, I can make it
>> available.  It requires a lot of support in the clients, like how to print out the differential
>> statistics from the correlated flow records, sort them, graphing, simple things like
>> just indicating that correlations are in the flow records etc.... 
>> 
> 
> I was sort of expecting it to just discard one of them if it was
> duplicated; pretty much record from "srcid y" if and only if the same
> flow doesn't exist in "srcid x". Of course, keeping track of which
> sources saw the traffic would be nicer!
> 
>> If this is of interest, we should start a thread on the list to get the whole concepts out there.
>> 
>> The argus support for reading two interfaces at the same time etc.... is definitely
>> suppose to be working, so that is bug if its not working for you.  What was the issue?
> 
> I tried something like:
> 
> ARGUS_INTERFACE=ind:eth1/xxx.xxx.xxx.xxx,eth2/yyy.yyy.yyy.yyy
> 
> (where xxx.xxx.xxx.xxx and yyyy.yyyy.yyyy.yyyy are IP addresses used by
> our switches) and got:
> 
>> argus[14144]: 20 Jun 11 17:02:31.221574 started
>> argus[14144]: 20 Jun 11 17:02:31.288588 ArgusGetInterfaceStatus: interface eth2 is up
>> argus[14144]: 20 Jun 11 17:02:31.295615 ArgusOpenInterface: pcap_open_live eth1: You don't have permission to capture on that device (socket: Operation not permitted)
> 
> I've been using PF_RING-enabled libpcap-1.1.1, but this happens even
> with the vanilla libpcap-0.8 that comes with Ubuntu 10.04.
> 
> It works if I just specify one of eth1 or eth2. There could conceivably
> be some OS-level restriction I suppose ...
> 
> Best Wishes,
> Chris
> 
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110620/8a254470/attachment.bin>

More information about the argus mailing list