YAF Release 2.9.3, 2017-Dec-21







  • Fixed configure-time dependency for libndpi to limit use of v1.8.0 and greater.
  • init script now gives YAF more time to shut down gracefully.

YAF Release 2.9.2, 2017-Nov-8







  • Fixed configure-time bug when using libfixbuf 1.7.1 (or earlier) and p0fprinter

YAF Release 2.9.1, 2017-Nov-2







  • Fixed bug that could corrupt flow emitted to standard output

YAF Release 2.9.0, 2017-Oct-19







  • nDPI library suppport added
  • Added NTP applabel
  • Added RFC5610 template metadata (name and description) record output.
  • Add option --no-vlan-in-key to drop VLAN ID from hash calculation
  • Minor Bug Fixes

YAF Release 2.8.4, 2016-Apr-14







  • Fix incompatibility with older versions of libpcap introduced in 2.8.3

YAF Release 2.8.3, 2016-Apr-12







  • Important bug fix for versions 2.8.x. Fixes a bug in decoding specific TCP Options headers.

YAF Release 2.8.2, 2016-Apr-5







  • Fix application labeling bug introduced in 2.8.0 which incorrectly labels particular REGEX labels
  • Other Bug Fixes

YAF Release 2.8.1, 2016-Feb-4







  • Fix compile error when configured with --disable-payload
  • Force buffer emit with IPFIX Options record when inactive

YAF Release 2.8.0, 2015-Dec-22







  • Remove support for fixbuf releases prior to libfixbuf-1.7.0
  • PF_RING support
  • PF_RING ZC (Zero Copy) support
  • Add support for gzip'd PCAP files
  • Add support for decoding MPTCP headers and exporting MPTCP information
  • Add LUA configuration file for yaf startup
  • New SSL Server Name field export from TLS/SSL Client Hello
  • New option for exporting entire X.509 Certificate
  • Add Fragment flag to flowAttributes to signify that a flow contained fragmented packets
  • DHCP fingerprinting plugin now exports basic list of options by default
  • ipfixDump prints number of records for each template
  • Bug Fix for labeling DNS over TCP
  • Bug Fix for reverseFlowDeltaMilliseconds field
  • Bug Fix for collecting X.509 Certificates through a proxy
  • More detailed information about ignored packets on termination/SIGUSR1

YAF Release 2.7.1, 2015-Jan-27







  • Fix a bug with --flow-stats in particular configurations

YAF Release 2.7.0, 2015-Jan-7







  • New Gh0st RAT Application Label
  • New NetBIOS Datagram Service Application Label
  • yafMeta2Pcap can now accept IPFIX input
  • getFlowKeyHash now exports IPFIX
  • Support for indexing PCAPNG files
  • New YAF option --no-output to produce no IPFIX output
  • New YAF options --hash and --stime to search for a single flow with the given hash and start\ time
  • DNS DPI now exports query section of resource record for all responses with nonzero RCODE
  • Faster searching of pcap-meta files
  • Implement SAME_SIZE flag for TCP flows
  • Minor Bug Fixes

YAF Release 2.6.0, 2014-Sep-3







  • Added a new tool, ipfixDump, to read and dump the contents of IPFIX files. Requires Fixbuf 1.4.0 or later.
  • Add LDAP application label
  • Filedaemon can now move files from one directory to another without passing to a child program
  • SSL/TLS DPI modification to capture SSL record version
  • Update CERT PEN Information Elements to use full information model if Fixbuf 1.4.0 or later is available
  • Fix for Modbus application label to reduce false positives
  • Bug Fix for TOS field when running with --uniflow
  • Bug Fix in RPM spec file
  • Bug Fix for labeling malformed DNS packets
  • Bug Fix for processing out of order packets with --force-read-all
  • Bug Fix for exporting reverse payload
  • Other minor bug fixes

YAF Release 2.5.0, 2014-Mar-4







  • Bug Fix for indexing rolling pcap files
  • Added MPLS flow hashing and label export
  • Add option for yafMeta2Pcap to take a list of pcap files
  • Non-IP flow data can be exported in MPLS mode
  • Added Napatech 3GD support
  • Added Netronome support
  • Added DNP3 application labeling and configurable DPI
  • Added Modbus application labeling and configurable DPI
  • Added Ethernet/IP application labeling and configurable DPI
  • YAF DPI plugin now exports RTP Payload Type
  • Added compile time option to enable local-time logging
  • New Bittorrent application label
  • Added Daemonizing capability within YAF
  • Added option to disable promiscuous mode on device
  • Added LDP application label for MPLS support
  • Added Juniper Ethernet (DLT_JUNIPER_ETHER) link layer support
  • getFlowKeyHash can now accept IPFIX input
  • Interface recording is now enabled by default for capture cards
  • Bug Fix for pcap-per-flow option
  • Type of Service Field now exported

YAF Release 2.4.0, 2013-May-3







  • New HTTP DPI Fields
  • Updated DPI Elements
  • Bug Fix to not replace yaf.conf on install
  • New application label: VMware server console
  • Added support to decode ERSPAN headers
  • Drop statistics are updated when statistics messages are exported
  • yafcollect bug fix
  • Other Bug Fixes

YAF Release 2.3.3, 2013-Jan-30







  • init.d script improvements
  • Allow yafmeta2pcap to accept multiple files
  • Report drop statistics on SigUsr1
  • Bug Fixes

YAF Release 2.3.2, 2012-Sep-14







  • Bug Fix to maintain compatibility with older versions of GLib and libpcap

YAF Release 2.3.1, 2012-Sep-10


  • DPI Improvements
  • Additional Pcap Export Option --index-pcap
  • Add option to manually set ingress/egress interface fields
  • Add tool to create pcap from pcap metafile
  • Bug Fixes

YAF Release 2.3.0, 2012-Jul-31


  • Added DHCP Fingerprinting Capability
  • Added ability to export DNSSEC information
  • Significant X.509 Certificate Capture and Export Enhancements
  • Added Bivio Interface Labeling
  • DPI Improvements
  • Added Enhanced Flow Attributes and Statistics Export
  • Added ability to index PCAP file
  • Added New Application Labels: MGCP, MEGACO
  • Bug Fixes

YAF Release 2.2.2, 2012-Mar-30


  • Bug Fix for Vlan Tagging

YAF Release 2.2.0, 2012-Feb-29


  • New Application Labels (MSNP, RTP, RTCP, Jabber)
  • Rolling Pcap output and pcap-per-flow options.
  • CERT p0f Fingerprints included.
  • New option to process out-of-sequence flows.
  • Several other bug fixes.

YAF Release 2.1.2, 2011-Sep-23


  • Added new --plugin-conf switch for adding a configuration file to a plugin
  • Added new --p0f-fingerprints switch to give location of p0f fingerprint files
  • Bug Fixes

YAF Release 2.1.1, 2011-Aug-11


  • Important bug fix for application labeling SSL plugin

YAF Release 2.1.0, 2011-Jul-27


  • New Information Element exported in every flow record, flowAttributes (CERT PEN 6871, IE 40).
  • YAF now checks if a flow has fixed-size packets and exports this flag using the new flowAttributes Information Element (see yaf)
  • Reset Application Label on UDP-uniflows for Deep Packet Inspection
  • Fixed yafscii invalid parameter bug that may have existed on certain platforms
  • Added VNC (RFB Protocol) application label
  • DPI Enhancements
  • FlowEndReason IPFIX field is now set to 31 for udp-uniflows
  • For Cygwin: Added support for getting the yaf config directory via the Windows Registry
  • Several other bug fixes

YAF Release 2.0.2, 2011-Jun-13


  • Improvements with Reassembly of TCP Fragments.
  • Bug Fix for DNS Deep Packet Inspection.
  • --no-frag switch now works.
  • Bug Fix for expiring flows that exceed the idle timeout when reading from a file.
  • Added the ability to configure YAF with WinPCAP.

YAF Release 2.0.1, 2011-May-23


  • Bug Fix for compile error with --enable-daginterface
  • Enhancement for SNMPv3 application labeler

YAF Release 2.0.0, 2011-Apr-28


  • This version requires libfixbuf-1.0.0 or greater.
  • Added Napatech Adapter Integration (requires libpcapexpress).
  • YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
  • Added the ability to export YAF capture statistics using IPFIX Options Templates.
  • The --stats or --no-stats were added to configure YAF stats output.
  • Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
  • Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
  • Added a time-out buffer flush function.
  • Added SSL Certificate Capture.
  • Added DNS Resource Record Parsing.
  • Added Deep Packet Inspection for the MySQL protocol.
  • The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
  • Deep Packet Inspection elements are read from one configuration file.
  • Added the ability to create new DPI elements from configuration file.
  • Added UDP Export and Template Retransmission.
  • Many Bug fixes and other enhancements.

YAF Release 1.3.2, 2011-Feb-3


  • Bug fix for dnsplugin.c
  • Minor bug fix for fingerprint exporting.

YAF Release 1.3.1, 2010-Oct-6


  • Important bug fix for p0f or fpexport enabled code.
  • Fixed bug in DNS Application Labeling Decoder.
  • Removed machine learning code for future work.

YAF Release 1.3.0, 2010-Sep-20


  • Vlan tags are now a part of the flow key.
  • Vlan tags are now always exported.
  • --mac flag exports MAC addresses.
  • Fixed bug in DNS Application Labeling Decoder.
  • Fixed bug in libp0f Makefile.
  • Added --print-header switch to yafscii for use with tabular mode to print column headers.
  • Added --mac switch to yafscii to support printing of MAC addresses in tabular mode.

YAF Release 1.2.0, 2010-Jul-27


  • Spread support has been added into libfixbuf and YAF to allow publish subscribe distribution of YAF sensor output.
  • Plugin support has returned to YAF to support basic deep packet inspection (DPI) and application labeling (see yafdpi ).
  • Added 9 new protocols to the application labeling feature (see applabel).
  • Added ability for signature detection through the application labeling mechanism.
  • Added --udp-uniflow switch to capture each UDP packet on a set port and export the payload (for DNS dissector creation).
  • Added --udp-payload to concatenate and export payload up to the max-payload value.
  • DNS DPI can be restricted to Authoritative and NXDomain responses only via compile switches.
  • Enhanced payload capture for TCP streams with out-of-order SYN packets.
  • Fixed a bug in processing small (less than 64-packets) PCAP files.
  • Fixed IPv6 header options bug.
  • Fixed bug in parsing capability for strings longer than 80 columns.
  • Added p0f passive OS labeling capability from community libp0f.
  • Added Berkley Packet Filtering (BPF) switch --filter.

YAF Release, 2009-Mar-18


  • Fix to the --rotate switch so that it actually works.
  • Added the --noerror switch so that when a caplist set of PCAP files are processed, all files will be attempted even if there is a malformed PCAP in the middle of the list.
  • Added the --dag-interface switch (along with configure option --enable-daginterfaces) that will record the physical interface a packet arrived on in the flow table.

YAF Release 1.0.0, 2008-Sep-9


  • Airframe has now been merged into YAF and does not need to be separately installed.
  • Fixes to the configure system to allow external pcap libraries, (Bivio, nPulse, DAG) have been fixed.
  • multithreading in the future.

YAF Release 0.8.0, 2008-Jan-18


  • Add experimental packet classifier support to YAF.
  • Experimental plugin support has been removed.

YAF Release 0.7.2, 2007-Nov-30


  • Add experimental YAF plugin support.

YAF Release 0.7.1, 2007-Aug-29


  • Add ability to decode PPP and PPPoE headers.
  • Add experimental startup script in etc/.
  • Fix --lock option bug; change --rotate file naming to minimize collision.

YAF Release 0.7.0, 2007-Aug-15


  • Complete rewrite of YAF's main loop for simplicity and performance. Input and output command-line configuration options have changed, and some features are no longer available; see the yaf(1) manpage for details.
  • Complete rewrite of the packet decoder and fragment reassembler for IPv6 flow assembly and for future flexibility.
  • Add ability to decode IPv6 headers and create IPv6 flows.

YAF Release 0.6.0, 2007-May-17


  • Add tabular output to yafscii.
  • Add ability to decode IP over C-HDLC and GRE.
  • Update to fixbuf 0.6.0 API.
  • Add ability to export via IPFIX over TLS and IPFIX over SCTP.
  • Various bugfixes.

YAF Release 0.5.0, 2006-Sep-29


  • Add Endace DAG capture support.
  • Add ability to drop privileges during live capture.
  • Add ability to decode (but not export) MPLS information.
  • Update to fixbuf 0.5.0 API.
  • Numerous internal performance and reliability enhancements.

YAF Release 0.1.6, 2006-Jul-7


  • Add ability to process pcap trace files (those containing headers only, and not full packet payload).
  • Add ability to decode 802.1q VLAN headers, and to export VLAN tags.
  • Fix bugs in yafscii I/O handling that led to instability on close.

YAF Release 0.1.5, 2006-Jun-16


  • Changes to template handling for 0.4.0 libfixbuf release;
  • documentation tweaks; new --observation-domain option to set
  • observationDomainId on exported messages.

YAF Release 0.1.0, 2006-Mar-28


  • Initial public release of YAF. YAF is presently alpha-quality software.