Stephen Reese

Configure YAF on Linux for NetFlow collection from a network tap or SPAN

In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch is capable of capturing data via SPAN port(s). This got me thinking about what difference I may see between the two NetFlow sources. This guide walks through setting up YAF on a Debian Linux host to receive data from a network tap or Switched Port Analyzer (SPAN) and converting it using Yet Another Flowmeter (YAF).

First, your host will need to obtain data from your network tap or SPAN port. I have two network interface cards in my box so I connected the non-management interface to the tap and started the interface without an IP in promiscuous mode. If you would like to use a SPAN port seek guidance here.

Note that this guide assumes that you already have compiled and successfully built SiLK. If not checkout this [post][].

You first need libfixbuf - IPFIX Protocol Library. Before building IPFIX will need glib2 and its respective development libraries, I did not have the latter so a little APT action takes care of that for me.

$ sudo apt-get install libglib2-dev

Building libfixbuf is straigtforward once the prerequetes are in place.

$ ./configure --prefix=/usr
$ make
$ make install

Next we are going to build YAF is Yet Another Flowmeter which has several prerequisites. libpcap needs to be installed along with its respective development libraries. I also installed the required PCRE required libraries for application labeling.

$ sudo apt-get install libpcap-dev
$ sudo apt-get install libpcre3-dev

Next we can build YAF.

$ ./configure --prefix=/usr --enable-applabel
$ make
$ sudo make install

Now that everything is ready to go we have a little housekeeping to do on the YAF configuration files. I placed the YAF configuration file in /etc/silk/yaf.conf. This file contains all of the setting such as which interface to listen on, IPFIX port, etc.

## ------------------------------------------------------------------------
## yaf.conf
## YAF daemon startup script configuration file
## ------------------------------------------------------------------------
## Copyright (C) 2007-2011 Carnegie Mellon University. All Rights Reserved.
## ------------------------------------------------------------------------
## Authors: Brian Trammell
## ------------------------------------------------------------------------
## GNU General Public License (GPL) Rights pursuant to Version 2, June 1991
## Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013
## ------------------------------------------------------------------------

# Must be non-empty to start YAF
ENABLED=yes

##### Capture Options ##########################################################

# Live capture type. Must be pcap, or dag for Endace DAG if YAF was built
# with libdag.
YAF_CAP_TYPE=pcap

# Live capture interface name.
YAF_CAP_IF=eth0

##### Export Options ###########################################################

# IPFIX transport protocol to use for export. Must be one of tcp or udp, or
# sctp if fixbuf was built with SCTP support.
YAF_IPFIX_PROTO=tcp

# Hostname or IP address of IPFIX collector to export flows to.
YAF_IPFIX_HOST=localhost

# If present, connect to the IPFIX collector on the specified port.
# Defaults to port 4739, the IANA-assigned port for IPFIX
YAF_IPFIX_PORT=18000

##### Logging and State Options ################################################

# Path to state location directory; contains the log and pidfiles unless
# modified by the following configuration parameters.
# Defaults to ${prefix}/var.
#YAF_STATEDIR=

# Path to PID file for YAF. Defaults to YAF_STATEDIR/yaf.pid
#YAF_PIDFILE=

# File or syslog facility name for YAF logging. If file, must be an absolute
# path to a logfile. Defaults to YAF_STATEDIR/yaf.log
#YAF_LOG=

# File or syslog facility name for YAF airdaemon logging. If file, must be an
# absolute path to a logfile. Defaults to YAF_STATEDIR/airdaemon-yaf.log
#YAF_DAEMON_LOG=

##### Miscellaneous Options ####################################################

# If present, become the specified user after starting YAF
#YAF_USER=

# Additional flags to pass to the YAF process. Use --silk --ip4-only for
# export to SiLK rwflowpack or SiLK flowcap.
YAF_EXTRAFLAGS="--silk"

Made sure there was a sensor definition in the /netflow/silk.conf.

sensor 0 s0    "v5 netflow from router"
sensor 1 s1    "YAF converted from tap"

class all
    sensors s0 s1
end class

The /etc/silk/sensor.conf configuration file also need to be updated with the new sensor definition. In this case s1 is our tap.

probe s0 netflow-v5
    listen-on-port 9990
    protocol udp
    accept-from-host 172.16.0.1
end probe

sensor s0
    netflow-v5-probes s0
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

probe s1 ipfix
    listen-on-port 18000
    protocol tcp
    accept-from-host 127.0.0.1
end probe

sensor s1
    ipfix-probes s1
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

Lastly, start YAF assuming that you have rwflowpack running from the SiLK package per the previous [post][].

$ sudo yaf --silk --ipfix=tcp --live=pcap --in=eth0 --out=127.0.0.1 --ipfix-port=18000 &

You should now be capturing data and converting into a format that SiLK can process via YAF.

Comments

comments powered by Disqus