The source code below provides an example of using the fixbuf library. The source code is for libfixbuf 1.x; it has not been modified to support libfixbuf 2.x.

Once the code is compiled, the yaf_file_mediator program reads IPFIX files generated by YAF and writes the flow data as text to the standard output or to a text file. The program is able to read the Deep Packet Inspection (DPI) elements exported from YAF's DPI plugin or DHCP fingerprinting plugin.

For YAF to export DPI information, it must have been configured with --enable-plugins when it was built. You may check whether it was by running yaf --version. When running YAF, include the DPI plugin ( as the argument to --plugin-name. See the YAF manual page for details.

The program requires GLIB 2.12 or later and libfixbuf 1.x. In order to use the included CMake configuration file, CMake version 2.8 or later is required.

Source Code

Source code v1.1.0, 2012-09-18



First, make sure you have libfixbuf 1.x (not 2.x) installed. You may need to set the PKG_CONFIG_PATH environment variable to the location of the libfixbuf.pc file. (If you used a package manager to install libfixbuf, ensure that the development headers and libraries are installed. These may be in a separate package with a -devel or -dev suffix.)

If you have CMake installed you can use the included configuration file.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
cmake .

Alternatively, run the configure script.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig


yaf_file_mediator takes an IPFIX file generated by YAF as input. It outputs text to a file or stdout.

./yaf_file_mediator --input file.yaf --output dest_file.txt

Each flow record has output similar to below:

Template ID is 45840
Application Label: 80
Source IP:
Destination IP:
Source Port: 1370
Destination Port: 80
flowStartTime: 1207802506600
flowEndTime: 1207802508331
flowEndReason: 4
Protocol: 6
Octet Total Count: 1839
Reverse Octet count: 69148
Packet Total Count: 35
Reverse Packet Total Count: 49
TCP Initial Seq Number: 3956172446
Initial TCP Flags: S
Union TCP Flags: AP
TCP Reverse Initial Seq Number: 3591133997
Reverse Initial TCP Flags: AS
Reverse Union TCP Flags: AP
HTTP userAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HTTP GET: /wikipedia/en/6/60/Wikinews-logo-51px.png
HTTP Version: HTTP/1.1
HTTP Version: HTTP/1.0
HTTP Referer:
HTTP Host:
HTTP Age: 2025
HTTP Response: 200 OK

It also outputs YAF Process Statistics if YAF ran with stats output enabled (default):

Exported Flow Count: 27
Packet Total Count: 481
Dropped Packets: 0
Ignored Packets: 0
Expired Fragment Count: 0
Assembled Fragment Count: 0
FlowTable Flush Events: 5
FlowTable Peak Count: 22
Exporter IPv4 Address:
Exporting Process ID: 0
Mean Flow Rate: 7079
Mean Packet Rate: 126081

Known Issues

The source code has not been updated to support libfixbuf 2.x. The code compiles, but attempts to run it cause it to abort with message "ERROR: Attempt to set internal template 0xffff, which has a defaulted length".