Monitoring for Large-Scale Networks

YAF

Latest Downloads

The latest releases of YAF 2.x are listed below.

RPM Downloads

You can also find RPMs of YAF releases starting from 2.16.2 in our Yum repository.

YAF Release 2.19.1, 2026-Apr-23

Downloads

yaf-2.19.1.tar.gz (2.2MiB)

(SHA256=d2bab3eab2a227eaeedc8624c69dfb77a7ba314d02c3f050cbb829e7ccf66271)

Changelog

Fixed potential file corruption when multiple YAF processes are using --lock --rotate and writing to the same directory, where one process could remove another's lock file and permit a third process to write simultaneously to the first process's output file.
Improved run-time error messages when using --caplist.
Improved the documentation for --pcap and options related to creating pcap files, and improved the command-line checks for these options.
Reduced the memory used by dpacketplugin for non-(TCP,UDP) flows when --protocol-payload is given.
Fixed an error where the --pcap-meta-file would sometimes record the input file name instead of the output file when when creating rolling pcap files and --caplist was used.
Fixed memory corruption in 2.19.0 if --uniflow is used when dpacketplugin is active.
Fixed a compilation error in 2.19.0 when Spread support is enabled.
Stopped YAF from putting Tombstone records in a separate IPFIX message.

YAF Release 2.18.4, 2026-Apr-23

Downloads

yaf-2.18.4.tar.gz (2.2MiB)

(SHA256=291e0cc0e51d2c3637a2fe639947bfd8b17be09670d9fabd865d31cfe7601975)

Changelog

Made the enforcement of the maximum flow-table size more aggressive.
Fixed potential file corruption when multiple YAF processes are using --lock --rotate and writing to the same directory, where one process could remove another's lock file and permit a third process to write simultaneously to the first process's output file.

YAF Release 2.17.5, 2026-Apr-23

Downloads

yaf-2.17.5.tar.gz (2.2MiB)

(SHA256=5e3394fc47bd29acce6b1cf8370ae341d7311c64d87d5a49082df56cd07ad5a2)

Changelog

Made the enforcement of the maximum flow-table size more aggressive.
Fixed potential file corruption when multiple YAF processes are using --lock --rotate and writing to the same directory, where one process could remove another's lock file and permit a third process to write simultaneously to the first process's output file.

YAF Release 2.18.3, 2026-Mar-26

Downloads

yaf-2.18.3.tar.gz (2.2MiB)

(SHA256=4cee46b11371fc5b7b76044c7efadb1e30043e699eb0d8d1aa4f1ca6436e8cdd)

Changelog

Fixed an error since YAF-2.17.0 when using --uniflow that caused an assertion error (or memory corruption if asserts were disabled) during deep packet inspection.

YAF Release 2.17.4, 2026-Mar-26

Downloads

yaf-2.17.4.tar.gz (2.2MiB)

(SHA256=ebc061b2d302d68beec837faa435d2dd8bebf66a0e103ec5477cbdfe5cdca1dc)

Changelog

Fixed an error since YAF-2.17.0 when using --uniflow that caused an assertion error (or memory corruption if asserts were disabled) during deep packet inspection.

YAF Release 2.19.0, 2026-Feb-26

Downloads

yaf-2.19.0.tar.gz (2.2MiB)

(SHA256=74b4a52f9265571efbf490ec5c27581f3c69f8c85bd691695d75aa815c266d25)

Changelog

Upgrading: There are multiple changes to yafApplabelRules.conf.
Upgrading: Application labeling support now requires PCRE2, version 10.32 or later.
Added a new "port" statement to yafApplabelRules.conf to detect application protocols that may appear on multiple ports.
Added option --filter-file to read a packet filtering expression from a file.
Added option --protocol-payload to enable capturing payload for non-(TCP,UDP) records.
Made the enforcement of the maximum flow-table size more aggressive.
Allow environment variables to modify the conditions that trigger when the flow-table is flushed.
Changed YAF's PCRE requirement to PCRE2, which is required for application labeling.
Made substantial internal changes to deep packet inspection.

YAF Release 2.18.2, 2025-Dec-11

Downloads

yaf-2.18.2.tar.gz (2.2MiB)

(SHA256=b2324e6c5468e4748e59d9f33312decc8e72cc9ee51e927cd7e77b3d3584d909)

Changelog

Fixed a bug resulting in the Fragments flag in flowAttributes falsely being true for nearly every flow.

YAF Release 2.18.1, 2025-Nov-21

Downloads

yaf-2.18.1.tar.gz (2.2MiB)

(SHA256=eebab530828deed9628c0d25e3ef663ec36a5dd992603f50fdf5824e19a30dea)

Changelog

Fixed a memory leak and potential crash when full cert export is enabled.

YAF Release 2.18.0, 2025-Oct-9

Downloads

yaf-2.18.0.tar.gz (2.2MiB)

(SHA256=2aeec41d7540b593d72fbd89b082bc6f1832e3a114b8335249a6d5c24b7e2377)

Changelog

Upgrading: Previous /etc/yaf.conf files may need updating to work with the start-up scripts in this release: YAF_STATEDIR is no longer set when yaf.conf is read.
Added the capability to determine the application label of an active flow and modify the amount of payload based on the result. Use options --applabel-max-payload to set the amount of payload to store for an appLabel and --applabel-check-early to enable early appLabel detection.
Stopped the installation of yaf.conf into /etc which overwrote any previous file.
Improved the yaf.conf file and the start-up files for both systemd and SysV init.d-style control. Reference copies of the start-up files are now installed under $prefix/share/yaf.
Added counts of flows opened and the reasons flows were closed to the log file in both periodic messages and at shutdown, and reformatted those messages.
Added a periodic log message that provides counts since the previous periodic message.
Added the command line used to invoke yaf to the log file.
Added appLabel and DPI support Microsoft DNS-related protocols for LLMNR and MDNS.
Fixed an issue where some DNS records were not identified as such due to using newer RRTYPE values.
Fixed the accuracy of NNTP application labeling that caused several records to be mistakenly identified as NNTP.
Fixed issues where temporary files for decompressed PCAP files were not always removed, and improved error reporting when decompression fails.

Visit Release History for older releases.