Configure YAF on Linux for NetFlow collection from a network tap or SPAN

In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch is capable of capturing data via SPAN port(s). This got me thinking about what difference I may see between the two NetFlow sources. This guide walks through setting up YAF on a Debian Linux host to receive data from a network tap or Switched Port Analyzer (SPAN) and converting it using Yet Another Flowmeter (YAF).

First, your host will need to obtain data from your network tap or SPAN port. I have two network interface cards in my box so I connected the non-management interface to the tap and started the interface without an IP in promiscuous mode. If you would like to use a SPAN port seek guidance here.

Note that this guide assumes that you already have compiled and successfully built SiLK. If not checkout this post.

You first need libfixbufIPFIX Protocol Library. Before building IPFIX will need glib2 and its respective development libraries, I did not have the latter so a little APT action takes care of that for me.

$ sudo apt-get install libglib2-dev

Building libfixbuf is straigtforward once the prerequetes are in place.

$ ./configure --prefix=/usr
$ make
$ make install

Next we are going to build YAF is Yet Another Flowmeter which has several prerequisites. libpcap needs to be installed along with its respective development libraries. I also installed the required PCRE required libraries for application labeling.

$ sudo apt-get install libpcap-dev
$ sudo apt-get install libpcre3-dev

Next we can build YAF.

$ ./configure --prefix=/usr --enable-applabel
$ make
$ sudo make install

Now that everything is ready to go we have a little housekeeping to do on the YAF configuration files. I placed the YAF configuration file in /etc/silk/yaf.conf. This file contains all of the setting such as which interface to listen on, IPFIX port, etc.

## ------------------------------------------------------------------------
## yaf.conf
## YAF daemon startup script configuration file
## ------------------------------------------------------------------------
## Copyright (C) 2007-2011 Carnegie Mellon University. All Rights Reserved.
## ------------------------------------------------------------------------
## Authors: Brian Trammell
## ------------------------------------------------------------------------
## GNU General Public License (GPL) Rights pursuant to Version 2, June 1991
## Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013
## ------------------------------------------------------------------------

# Must be non-empty to start YAF
ENABLED=yes

##### Capture Options ##########################################################

# Live capture type. Must be pcap, or dag for Endace DAG if YAF was built
# with libdag.
YAF_CAP_TYPE=pcap

# Live capture interface name.
YAF_CAP_IF=eth0

##### Export Options ###########################################################

# IPFIX transport protocol to use for export. Must be one of tcp or udp, or
# sctp if fixbuf was built with SCTP support.
YAF_IPFIX_PROTO=tcp

# Hostname or IP address of IPFIX collector to export flows to.
YAF_IPFIX_HOST=localhost

# If present, connect to the IPFIX collector on the specified port.
# Defaults to port 4739, the IANA-assigned port for IPFIX
YAF_IPFIX_PORT=18000

##### Logging and State Options ################################################

# Path to state location directory; contains the log and pidfiles unless
# modified by the following configuration parameters.
# Defaults to ${prefix}/var.
#YAF_STATEDIR=

# Path to PID file for YAF. Defaults to YAF_STATEDIR/yaf.pid
#YAF_PIDFILE=

# File or syslog facility name for YAF logging. If file, must be an absolute
# path to a logfile. Defaults to YAF_STATEDIR/yaf.log
#YAF_LOG=

# File or syslog facility name for YAF airdaemon logging. If file, must be an
# absolute path to a logfile. Defaults to YAF_STATEDIR/airdaemon-yaf.log
#YAF_DAEMON_LOG=

##### Miscellaneous Options ####################################################

# If present, become the specified user after starting YAF
#YAF_USER=

# Additional flags to pass to the YAF process. Use --silk --ip4-only for
# export to SiLK rwflowpack or SiLK flowcap.
YAF_EXTRAFLAGS="--silk"

Made sure there was a sensor definition in the /netflow/silk.conf.


sensor 0 s0    "v5 netflow from router"
sensor 1 s1    "YAF converted from tap"

class all
    sensors s0 s1
end class

The /etc/silk/sensor.conf configuration file also need to be updated with the new sensor definition. In this case s1 is our tap.

probe s0 netflow-v5
    listen-on-port 9990
    protocol udp
    accept-from-host 172.16.0.1
end probe

sensor s0
    netflow-v5-probes s0
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

probe s1 ipfix
    listen-on-port 18000
    protocol tcp
    accept-from-host 127.0.0.1
end probe

sensor s1
    ipfix-probes s1
    internal-ipblocks 172.16.0.0/24
    external-ipblocks remainder
end sensor

Lastly, start YAF assuming that you have rwflowpack running from the SiLK package per the previous post.

$ sudo yaf --silk --ipfix=tcp --live=pcap --in=eth0 --out=127.0.0.1 --ipfix-port=18000 &


You should now be capturing data and converting into a format that SiLK can process via YAF.

This entry was posted in security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>