NAF is the NetSA Aggregated Flow toolchain.
Version: 0.6.0NAF is the NetSA Aggregated Flow toolchain. The NAF tools create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis. The most important difference between aggregate and raw flows is that the NAF format splits and aggregates flows into constant-size time bins. Information about the exact start time of each flow, and flow duration, is lost.
License: GPL
Operating System: Linux
Homepage: tools.netsa.cert.org
Developed by:
The NetSA Aggregated Flow (NAF) toolchain presently consists of four tools. nafalize is the NAF normalizer and aggregator, which reads IPFIX files (such as those produced by YAF), Argus 2.0.6 RA format flow data, SiLK RW flow data, or existing NAF aggregate flows, and aggregates them into time and flow key bins based upon a nafalize aggregation expression. nafilter filters existing NAF data for drilling down into NAF files. nafscii prints NAF files as whitespace-separated, columnar ASCII files for manipulation by utilities that can handle whitespace-separated text. nafload inserts NAF files into a relational database via AirDBC, the AirCERT Database Connectivity layer.
Building
NAF requires glib 2.6.4 or later.
NAF requires libairframe 0.6.6 or later.
NAF requires libfixbuf version 0.6.0 or later.
nafload requires AirDBC version 0.2.0 or later.
nafalize packet input support requires YAF 0.6.0 or later (specificially,
the YAF packet decode and defragmentation library, libyafrag).
nafalize SiLK input support requires SiLK 0.11.0 or later.
The NAF applications also require the included libnaf library, which implements NAF file I/O. This library is built and installed with the NAF tools distribution, and may be required by other software that interoperates with NAF.
NAF uses a reasonably standard autotools-based build system. The customary build procedure (./configure && make && make install) should work in most environments. Note that NAF finds libfixbuf, libairframe, libairdbc, and libyafrag using the pkg-config(1) facility, so you may have to set the PKG_CONFIG_PATH variable on the configure command line if these libraries are installed in a nonstandard location, other than the prefix to which you are installing NAF itself.
Known Issues
In general, NAF is beta quality software. Not every reasonable combination of input and configuration has been tested. Be aware of this before using NAF in production environments.