CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
YAF - Documentation
Documentation | Downloads

Manuals

The YAF toolchain presently consists of two tools, documented by their man pages: yaf itself, and yafscii, which converts yaf output into ASCII format, largely for testing and debugging purposes. Further capabilities may be added to the suite as it evolves.

Building YAF

YAF requires glib 2.6.4 or later. Build and install glib before building YAF. Note that glib is also included in many operating environments or ports collections.

YAF requires libpcap. Note that libpcap is included with many operating environments or ports collections.

YAF requires libairframe 0.7.2 or later. Build and install libairframe before building YAF.

YAF requires libfixbuf 0.7.2 or later. Build and install libfixbuf before building YAF.

Endace DAG live input support requires libdag. Use the --with-dag option to ./configure to enable DAG support.

Support for application labeling requires PCRE 7.3 or later. Build and install PCRE before building YAF. (Many Linux systems already have PCRE installed.) Support for application labeling requires giving the --enable-applabel option to ./configure.

The YAF applications also require the included libyaf library. libyaf implements YAF file and network I/O, and contains YAF's packet decoder, fragment assembler, and flow table. This library is built and installed with the YAF tools distribution, and may be required by other software that interoperates with YAF.

Note that the libyafrag library previously installed with YAF has been removed, due to a redesign of the packet decoder for IPv6 support.

YAF uses a reasonably standard autotools-based build system. The customary build procedure (./configure && make && make install) should work in most environments. Note that YAF finds libfixbuf and libairframe using the pkg-config facility, so you may have to set the PKG_CONFIG_PATH variable on the configure command line if these libraries are installed in a nonstandard location, other than the prefix to which you are installing YAF itself.

YAF 0.8.0 includes an experimental support for doing application protocol labeling via packet inspection. This must be enabled when compiling YAF using the --enable-applabel switch to ./configure. This will add a new information element to the output for application protocols that are recognized

YAF 0.8.0 has removed the previously experimental plugin support. If there is enough demand the feature may return. A new mechanism with a similar interface, but one which can merge the library handling for application labeling and plugins would need to be designed.

Known Issues

YAF 0.7.0 does not interoperate with previous versions, because it no longer uses provisional information elements for the reverse direction of a biflow. YAF 0.7.0 must be used with an IPFIX Collecting Process that uses PEN 29305 for reverse information elements. For export to SiLK, this implies that the SiLK packer or rwipfix2silk utility must be built against libfixbuf 0.7.0 or later.

Presently, the destinationTransportPort information element contains ICMP type and code information for ICMP or ICMP6 flows; this is nonstandard and may not be interoperable with other IPFIX implementations.

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
YAF is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2006-2008 Carnegie Mellon University