YAF is Yet Another Flowmeter. The project processes packet data from pcap dumpfiles as generated by tcpdump or via live capture from an interface using pcap into bidirectional flows, then exports those flows to IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can be used with the SiLK flow analysis tools and the NetSA Aggregated Flow (NAF) toolchain.
YAF also supports partial payload capture - this feature is intended for use in "banner grabbing" for protocol verification and service presence detection, and is presently experimental.
Why does the world need another network flow event generator? YAF is intended as an experimental implementation tracking developments in the IETF IPFIX working group, specifically bidirectional flow representation and archival storage formats. It is designed to perform acceptably as a flow sensor on any network on which white-box flow collection with commodity hardware is appropriate, but tradeoffs between raw performance and clarity of design have generally been made in favor of the latter.
The YAF toolchain presently consists of two tools, yaf itself, and yafscii, which converts yaf output into ASCII format.
YAF requires glib 2.4.7 or later. Note that glib is also included in many operating environments or ports collections.
YAF requires libairframe.
YAF requires libfixbuf version 0.7.0 or later.
YAF requires libpcap.
Endace DAG live input support requires libdag. Use the --with-dag option to ./configure to enable DAG support.
The YAF application labeling functionality requires the Perl regular expression library, PCRE. This library is available at http://www.pcre.org.
The YAF applications also require the included libyaf library. libyaf implements YAF file and network I/O, packet decoding, fragment assembly, and flow generation. This library is built and installed with the YAF tools distribution.
YAF uses a reasonably standard autotools-based build system. The customary build procedure (./configure && make && make install) should work in most environments. Note that YAF finds libfixbuf and libairframe using the pkg-config facility, so you may have to set the PKG_CONFIG_PATH variable on the configure command line if these libraries are installed in a nonstandard location, other than the prefix to which you are installing YAF itself.
YAF 0.7.0 does not interoperate with previous versions, because it no longer uses provisional information elements for the reverse direction of a biflow. YAF 0.7.0 must be used with an IPFIX Collecting Process that uses PEN 29305 for reverse information elements. For export to SiLK, this implies that the SiLK packer or rwipfix2silk utility must be built against
libfixbuf 0.7.0 or later.
Presently, the destinationTransportPort information element contains ICMP type and code information for ICMP or ICMP6 flows; this is nonstandard and may not be interoperable with other IPFIX implementations.