NAF is the NetSA Aggregated Flow toolchain. The NAF tools create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis. The most important difference between aggregate and raw flows is that the NAF format splits and aggregates flows into constant-size time bins. Information about the exact start time of each flow, and flow duration, is lost.

The NAF toolchain presently consists of four tools. nafalize is the NAF normalizer and aggregator, which reads libpcap save files, packets from a live libpcap interface, Argus 2.0.6 RA format flow data, or SiLK RW flow data, or existing NAF aggregate flows, and aggregates them into time and flow key bins based upon a nafalize aggregation expression. nafilter filters existing NAF data for drilling down into NAF files. nafscii prints NAF files as whitespace-separated, columnar ASCII files for manipulation by utilities that can handle whitespace-separated text. nafload inserts NAF files into a relational database via AirDBC, the AirCERT Database Connectivity layer.