NAF


Introduction

NAF is the NetSA Aggregated Flow toolchain, by the CERT Network Situational Awareness Group. The NAF tools create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis. The most important difference between aggregate and raw flows is that the NAF format splits and aggregates flows into constant-size time bins. Information about the exact start time of each flow, and flow duration, is lost.

The NAF toolchain presently consists of four tools. nafalize is the NAF normalizer and aggregator, which reads libpcap save files, packets from a live libpcap interface, Argus 2.0.6 RA format flow data, or SiLK RW flow data, or existing NAF aggregate flows, and aggregates them into time and flow key bins based upon a nafalize aggregation expression. nafilter filters existing NAF data for drilling down into NAF files. nafscii prints NAF files as whitespace-separated, columnar ASCII files for manipulation by utilities that can handle whitespace-separated text. nafload inserts NAF files into a relational database via AirDBC, the AirCERT Database Connectivity layer.

The tools are documented by their manpages; see nafalize(1), nafilter(1), nafscii(1), and nafload(1) for details.

Building

NAF requires glib 2.6.4 or later (2.8.x is OK). Build and install glib before building NAF. Note that glib is also included in many operating environments or ports collections.

NAF requires libairframe 0.6.2 or later. Build and install libairframe before building NAF.

NAF requires libfixbuf 0.4.0 or later. Build and install libfixbuf before building NAF.

nafload requires AirDBC version 0.2.0 or later. Build and install AirDBC before building NAF if nafload support is required.

The NAF applications also require the included libnaf library, which implements NAF file I/O and core flow data structures common to all applications. libnaf is included and installed with the distribution.

NAF uses a reasonably standard autotools-based build system. The customary build procedure (./configure && make && make install) should work in most environments. Note that NAF finds libfixbuf, libairframe, and libairdbc using the pkg-config facility, so you may have to set the PKG_CONFIG_PATH variable on the configure command line if these libraries are installed in a nonstandard location, other than the prefix to which you are installing NAF itself.

NAF does support a few non-standard configure options. First is --with-glib-static, which allows the use of a static glib. This is useful in environments using ancient versions of glib (2.4 is common; libfixbuf requires glib-2.6.4 or later) where a glib upgrade is not feasible. To use this, install glib-2.6.4 to a private prefix, then supply that prefix to --with-glib-static.

By default, nafalize does not build with SiLK RW input support. To enable SiLK support, fetch SiLK 0.9.x from http://silktools.sourceforge.net, ./configure && make, then point NAF at the root of the built SiLK source distribution using --with-silk-source. This is necessary because NAF links against static libraries used internally by SiLK but not installed by SiLK's make install target.

By default, NAF is built without AirDBC support for nafload; the default nafload implementation is a stub. To include AirDBC support and build a working nafload, use --with-airdbc. NAF finds libairdbc using the pkg-config facility, so you may have to set the PKG_CONFIG_PATH variable on the configure command line if libairdbc is installed in a nonstandard location.

The --enable-flow-dump option to configure enables the printing to stderr of every aggregate flow record on its way through the nafalize flow table and the nafscii flow input. It is noisy, it is slow, and it is for debugging purposes only.

Known Issues

In general, NAF is beta quality software. Not every reasonable combination of input and configuration has been tested. Be aware of this before using NAF in production environments. The following known issues will be addressed in future releases:

  • nafalize argus driver may behave in an undefined way when argus data was not captured from an Ethernet network.


Copyright © 2005, Carnegie Mellon University