CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Child pages
  • YAF 2.x IPFIX File Mediator
Skip to end of metadata
Go to start of metadata

Description

The following program will read YAF IPFIX files using libfixbuf and write the flow data to stdout or to a given text file.  This program is intended to read IPFIX files generated from YAF 2.x.  It will read IPFIX files from earlier versions of YAF, however, it will not be able to parse any flow data that is now contained in the subTemplateMultiList.  This program is able to read all Deep Packet Inspection (DPI) elements exported from YAF's DPI plugin or DHCP fingerprinting plugin.  The following program requires GLIB 2.12 or later and libfixbuf 1.0.0 or later.  In order to use the included CMake configuration file, CMake version 2.8 or later is required.  See "Known Issues" below if you are planning to run the mediator on a 64 bit machine.

Source Code

yaf_file_mediator-1.1.0.tar.gz

Building

First, make sure you have libfixbuf 1.0.0 (or later) installed.

If you have CMake installed you can use the included configuration file.  You may need to set PKG_CONFIG_PATH to the location of libfixbuf.pc:

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
./configure
make

Running

yaf_file_mediator takes an IPFIX file generated by YAF as input.  It outputs text to a file or stdout.

./yaf_file_mediator --input file.yaf --output dest_file.txt

Each flow record will have output similar to below:

Template ID is 45840
Application Label: 80
Source IP: 10.10.10.172
Destination IP: 10.10.172.10
Source Port: 1370
Destination Port: 80
flowStartTime: 1207802506600
flowEndTime: 1207802508331
flowEndReason: 4
Protocol: 6
Octet Total Count: 1839
Reverse Octet count: 69148
Packet Total Count: 35
Reverse Packet Total Count: 49
TCP Initial Seq Number: 3956172446
Initial TCP Flags: S
Union TCP Flags: AP
TCP Reverse Initial Seq Number: 3591133997
Reverse Initial TCP Flags: AS
Reverse Union TCP Flags: AP
HTTP userAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HTTP GET: /wikipedia/en/6/60/Wikinews-logo-51px.png
HTTP Version: HTTP/1.1
HTTP Version: HTTP/1.0
HTTP Referer: http://en.wikipedia.org/wiki/Wikipedia
HTTP Host: upload.wikimedia.org
HTTP Age: 2025
HTTP Response: 200 OK

It will also output YAF Process Statistics if YAF ran with stats output enabled (default):

----------OPTIONS--------------
Exported Flow Count: 27
Packet Total Count: 481
Dropped Packets: 0
Ignored Packets: 0
Expired Fragment Count: 0
Assembled Fragment Count: 0
FlowTable Flush Events: 5
FlowTable Peak Count: 22
Exporter IPv4 Address: 10.20.11.51
Exporting Process ID: 0
Mean Flow Rate: 7079
Mean Packet Rate: 126081

Contact

If you have bug reports, feedback, or questions please send them to netsa-help@cert.org.

Known Issues

 

  • No labels