NAF
===

NAF is the NetSA Aggregated Flow toolchain, by the CERT Network Situational 
Awareness Group. The NAF tools create and manipulate the IPFIX-based NAF file
format, designed as a common format for aggregate network flow analysis. 
The most important difference between aggregate and raw flows is that the 
NAF format splits and aggregates flows into constant-size time bins. 
Information about the exact start time of each flow, and flow duration, 
is lost.

The NAF toolchain presently consists of four tools. nafalize is the NAF 
normalizer and aggregator, which reads libpcap save files, packets from a
live libpcap interface, Argus 2.0.6 RA format flow data, SiLK RW flow data, 
or generic IPFIX flow data, and aggregates and filters them into time and 
flow key bins based upon a nafalize aggregation expression. nafilter sorts 
and filters existing NAF data for drilling down into NAF files. nafscii 
prints NAF files as whitespace-separated, columnar ASCII files for 
manipulation by utilities that can handle whitespace-separated text.
nafload inserts NAF files into a relational database via AirDBC, the AirCERT 
Database Connectivity layer.

Building
========

NAF requires glib 2.6.4 or later; glib is available at http://www.gtk.org. 
Build and install glib before building NAF. Note that glib is also included 
in many operating environments or ports collections.

NAF requires libairframe 0.6.6 or later; libairframe is available at 
http://tools.netsa.cert.org/airframe. Build and install libairframe
before building NAF.

NAF requires libfixbuf version 0.6.0 or later; libfixbuf is available at
http://tools.netsa.cert.org/fixbuf. Build and install libfixbuf before
building NAF. 

nafload requires AirDBC version 0.2.0 or later. AirDBC is available at 
http://tools.netsa.cert.org/airdbc. Build and install AirDBC before 
building NAF if nafload support is required. Use the --with-airdbc option to
./configure to enable nafload support.

nafalize packet input support requires YAF 0.6.0 or later (specificially, 
the YAF packet decode and defragmentation library, libyafrag). YAF is 
available at http://tools.netsa.cert.org/yaf. Build and install YAF before 
building NAF if nafalize packet input support is required. Use the 
--with-yafrag option to ./configure to enable packet input support.

nafalize SiLK input support requires SiLK 0.11.0 or later. SiLK is available at
http://tools.netsa.cert.org/silk. Build and install the SiLK analysis tools
before building NAF if nafalize SiLK input support is required. Use the 
--with-silk option to ./configure to enable SiLK input support.

The NAF applications also require the included libnaf library, which
implements NAF file I/O. This library is built and installed with the NAF
tools distribution, and may be required by other software that interoperates 
with NAF.

NAF uses a reasonably standard autotools-based build system. The customary
build procedure (./configure && make && make install) should work in most
environments. Note that NAF finds libfixbuf, libairframe, libairdbc, and 
libyafrag using the pkg-config(1) facility, so you may have to set the 
PKG_CONFIG_PATH variable on the configure command line if these libraries 
are installed in a nonstandard location, other than the prefix to which you 
are installing NAF itself.

Known Issues
============

In general, NAF is beta quality software. Not every 
reasonable combination of input and configuration has been tested. Be aware of
this before using NAF in production environments.