YAF
===

YAF is Yet Another Flowmeter. It processes packet data from pcap(3) dumpfiles 
as generated by tcpdump(1) or via live capture from an interface using pcap(3) 
or an Endace DAG card into bidirectional flows, then exports those flows to 
IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can
be used with the SiLK flow analysis tools and the NetSA Aggregated Flow 
(NAF) toolchain. 

YAF also supports partial payload capture - this feature is intended for use 
in "banner grabbing" for protocol verification and service presence detection, 
and is presently experimental.

Why does the world need another network flow event generator? YAF is 
intended as an experimental implementation tracking developments in the IETF 
IPFIX working group, specifically bidirectional flow representation and 
archival storage formats. It is designed to perform acceptably as a flow sensor
on any network on which white-box flow collection with commodity hardware is 
appropriate, but tradeoffs between raw performance and clarity of design have 
generally been made in favor of the latter.

The YAF toolchain presently consists of two tools, yaf itself, and yafscii, 
which converts yaf output into ASCII format. 

Building
========

YAF requires glib 2.4.7 or later; glib is available at 
http://www.gtk.org. Build and install glib before building YAF. Note that 
glib is also included in many operating environments or ports collections.

YAF requires libairframe @YAF_REQ_AIRFRAME_VER@ or later; libairframe is available at 
http://tools.netsa.cert.org/airframe. Build and install libairframe
before building YAF.

YAF requires libfixbuf version 0.7.2 0.7.0 or later; libfixbuf is available at
http://tools.netsa.cert.org/fixbuf. Build and install libfixbuf before
building YAF. 

YAF requires libpcap from http://www.tcpdump.org. Note that libpcap is included
with many operating environments or ports collections.

Endace DAG live input support requires libdag. Use the --with-dag option to
./configure to enable DAG support.

The YAF application labeling functionality requires the Perl regular expression
library, PCRE.  This library is available at http://www.pcre.org.

The YAF applications also require the included libyaf library.
libyaf implements YAF file and network I/O, packet decoding, fragment 
assembly, and flow generation. This library is built and installed
with the YAF tools distribution.

YAF uses a reasonably standard autotools-based build system. The customary
build procedure (./configure && make && make install) should work in most
environments. Note that YAF finds libfixbuf and libairframe using the
pkg-config(1) facility, so you may have to set the PKG_CONFIG_PATH variable 
on the configure command line if these libraries are installed in a 
nonstandard location, other than the prefix to which you are installing 
YAF itself.

Known Issues
============

YAF 0.7.0 does not interoperate with previous versions,
because it no longer uses provisional information elements for the reverse
direction of a biflow. YAF 0.7.0 must be used with an IPFIX Collecting Process
that uses PEN 29305 for reverse information elements. For export to SiLK, this
implies that the SiLK packer or rwipfix2silk utility must be built against
libfixbuf 0.7.0 or later.

Presently, the destinationTransportPort information element contains
ICMP type and code information for ICMP or ICMP6 flows; this is nonstandard
and may not be interoperable with other IPFIX implementations.
