YAF is Yet Another Flow sensor. It processes packet data from pcap(3) dumpfiles as generated by tcpdump(1) or via live capture from an interface using pcap(3) into bidirectional flows, then exports those flows to IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can be used with the NetSA Aggregated Flow (NAF) toolchain.
YAF also supports partial payload capture - this feature is intended for use in "banner grabbing" for protocol verification.
Why does the world need another network flow event generator? YAF is primarily intended as an experimental implementation tracking developments in the IETF IPFIX working group, specifically bidirectional flow representation and archival storage formats. It is designed to perform acceptably as a flow sensor on any network on which white-box flow collection with commodity hardware is appropriate, but tradeoffs between raw performance and clarity of design have generally been made in favor of the latter.
The YAF toolchain presently consists of two tools: yaf itself, and yafscii, which converts yaf output into ASCII format, largely for testing and debugging purposes. Further capabilities will be added to the suite as it evolves.
YAF requires glib 2.6.4 or later (2.8.x is OK). Build and install glib before building YAF. Note that glib is also included in many operating environments or ports collections.
YAF requires libairframe 0.6.2 or later. Build and install libairframe before building YAF.
YAF requires libfixbuf 0.4.1 or later. Build and install libfixbuf before building YAF.
The YAF applications also require the included libyaf and libyafrag libraries. libyaf implements YAF file and network I/O. This library is built and installed with the YAF tools distribution, and may be required by other software that interoperates with YAF (such as NAF). libyafrag is a generic IPv4 fragment reassembly library, and is installed separately in the hope that other applications may find it useful.
In general, YAF is alpha quality software. Not every reasonable use case has been thoroughly tested. Be aware of this before using YAF in production environments. Also, as the format of YAF's output will track developments in the IPFIX working group, there may be some incompatible changes to the YAF export format in the future; initially, no support will be provided for interoperability between old and new versions of YAF (at least, not until the archival file format matures to the point that YAF can reasonably be used to generate archival flow data).
YAF-generated ICMP flows store type and code information in the destinationTransportPort information element; this is nonstandard.