YAF
===

YAF is Yet Another Flowmeter. It processes packet data from pcap(3) dumpfiles 
as generated by tcpdump(1) or via live capture from an interface using pcap(3),
an Endace DAG card, or a Napatech adapter into bidirectional flows, then 
exports those flows to IPFIX Collecting Processes or in an IPFIX-based file 
format. YAF's output can be used with the SiLK flow analysis tools and the 
NetSA Aggregated Flow (NAF) toolchain. 

YAF also supports partial payload capture - this feature is intended for use 
in "banner grabbing" for protocol verification and service presence detection, 
and is presently experimental.

Why does the world need another network flow event generator? YAF is 
intended as an experimental implementation tracking developments in the IETF 
IPFIX working group, specifically bidirectional flow representation and 
archival storage formats. It is designed to perform acceptably as a flow sensor
on any network on which white-box flow collection with commodity hardware is 
appropriate, but tradeoffs between raw performance and clarity of design have 
generally been made in favor of the latter.

The YAF toolchain presently consists of two tools, yaf itself, and yafscii, 
which converts yaf output into ASCII format. 

Building
========

YAF requires glib 2.4.7 or later; glib is available at 
http://www.gtk.org. Build and install glib before building YAF. Note that 
glib is also included in many operating environments or ports collections.

YAF requires libfixbuf version 1.0.0 or later; libfixbuf is available at
http://tools.netsa.cert.org/fixbuf. Build and install libfixbuf before
building YAF. 

Spread support requires Spread 4.1 or later.  Build and install Spread before 
building YAF. YAF requires libfixbuf version 0.9.0 or later if YAF is compiled
with Spread support.

YAF requires libpcap from http://www.tcpdump.org. Note that libpcap is included
with many operating environments or ports collections.

Endace DAG live input support requires libdag. Use the --with-dag option to
./configure to enable DAG support.

Napatech live input support requires libpcapexpress. libpcapexpress library 
is available to Napatech customers for download at www.pcapexpress.com. 
Use the --with-napatech option to ./configure to enable Napatech support.  Before
starting YAF with --live napatech, reload Napatech drivers using
pcapxctl -r (Napatech Driver Load/Unload Script).

The YAF application labeling functionality requires the Perl regular expression
library, PCRE.  This library is available at http://www.pcre.org.  If YAF is 
installed in a nonstandard location, it may be necessary to set the 
LTDL_LIBRARY_PATH environment variable to the location where the application
labeling plugins are installed.

The YAF applications also require the included libyaf library.
libyaf implements YAF file and network I/O, packet decoding, fragment 
assembly, and flow generation. This library is built and installed
with the YAF tools distribution.

YAF uses a reasonably standard autotools-based build system. The customary
build procedure (./configure && make && make install) should work in most
environments. Note that YAF finds libfixbuf and libairframe using the
pkg-config(1) facility, so you may have to set the PKG_CONFIG_PATH variable 
on the configure command line if these libraries are installed in a 
nonstandard location, other than the prefix to which you are installing 
YAF itself.

Known Issues
============

YAF BPF Filtering does not operate with the Bivio Zero-Copy Library.

YAF BPF FIltering is ignored when using --live dag because libpcap is not
used.

YAF 0.7.0 does not interoperate with previous versions,
because it no longer uses provisional information elements for the reverse
direction of a biflow. YAF 0.7.0 must be used with an IPFIX Collecting Process
that uses PEN 29305 for reverse information elements. For export to SiLK, this
implies that the SiLK packer or rwipfix2silk utility must be built against
libfixbuf 0.7.0 or later.

Presently, the destinationTransportPort information element contains
ICMP type and code information for ICMP or ICMP6 flows; this is nonstandard
and may not be interoperable with other IPFIX implementations.

Please send bug reports, feature requests, and questions to 
<netsa-yaf@cert.org>.
