The NAF toolchain, developed by NetSA, is designed to aggregate flow data and analyze it. This software summary describes it in just 12 words.
NAF comprises of four tools. The NAF normalizer and aggregator, nafalize, is capable of reading IPFIX files, as well as Argus 2.0.6 RA format and SiLK RW flow data. It aggregates them into time and flow key bins based on a nafalize aggregation expression. nafilter filters existing NAF data to drill down into NAF files. nafscii prints NAF files in whitespace-separated, columnar ASCII files that can be manipulated by utilities that work with whitespace-separated text. Finally, nafload inserts NAF files into a relational database through AirDBC, the AirCERT Database Connectivity layer.
To use NAF, you'll need to have glib 2.6.4, libairframe 0.6.6, libfixbuf version 0.6.0 or later, and AirDBC version 0.2.0 or later. For packet input support, YAF 0.6.0 or later with the YAF packet decode and defragmentation library, libyafrag should be present. On the other hand, SiLK input support requires SiLK 0.11.0 or later.
Moreover, NAF uses a standard autotools-based build system. The customary build procedure - ./configure && make && make install - should work in most environments. However, note that NAF finds libraries like libfixbuf, libairframe, libairdbc, and libyafrag using the pkg-config(1) facility. If these libraries are stored in a non-standard location, you need to set the PKG_CONFIG_PATH variable on the configure command line.
It's important to note that NAF is beta quality software, and every reasonable input and configuration combination hasn't been tested. Therefore, it's necessary to be aware of this before using NAF in a production environment.
Version 0.6.0: N/A