Article

YAF: yet another flowmeter

Authors:

Christopher M. Inacio,

Brian TrammellAuthors Info & Claims

LISA'10: Proceedings of the 24th international conference on Large installation system administration

Pages 1 - 16

Published: 07 November 2010 Publication History

Abstract

A flow meter generates flow data - which contains information about each connection observed on a network - from a stream of observed packets. Flow meters can be implemented in standalone measurement devices or inline on packet forwarding devices, such as routers. YAF (Yet Another Flowmeter) was created as a reference implementation of an IPFIX Metering and Exporting Process, and to provide a platform for experimentation and rapid deployment of new flow meter capabilities. Significant engineering effort has also gone into ensuring that YAF is a high performance, flexible, stable, and capable flow collector. This paper describes the some of the issues we encountered in designing and implementing YAF, along with some background on some of the technologies that we chose for implementation. In addition we will describe some of our experiences in deploying and operating YAF in large-scale networks.

References

[1]

ADAMI, D., CALLEGARI, C., GIORDANO, S., PAGANO, M., AND PEPE, T. A real-time algorithm for Skype traffic detection and classification. In 9th International Conference on Wired/Wireless Networking (Sept. 2009).

Digital Library

[2]

BIANCHI, G., TEOFILI, S., AND POMPOSINI, M. New directions in privacy-preserving anomaly detection for network traffic. In NDA '08: Proceedings of the 1st ACM workshop on Network data anonymization (New York, NY, USA, 2008), ACM, pp. 11- 18.

Digital Library

[3]

BONWICK, J. The slab allocator: an object-caching kernel memory allocator. In USTC'94: Proceedings of the USENIX Summer 1994 Technical Conference on USENIX Summer 1994 Technical Conference (Berkeley, CA, USA, 1994), USENIX Association, pp. 6-6.

Digital Library

[4]

CISCO SYSTEMS, INC. Cisco IOS Netflow Introduction. http://www.cisco.com/go/netflow. {Accessed 19 August 2010}.

[5]

CISCO SYSTEMS, INC. Hyperconnectivity and the Approaching Zettabyte Era. Cisco VNI White Paper, June 2010.

[6]

CLAISE, B., BRYANT, S., LEINEN, S., DIETZ, T., AND TRAMMELL, B. Specification of the IP Flow Information Export Protocol. RFC 5101 (Proposed Standard), Jan. 2008.

[7]

CLAISE, B., SADASIVAN, G., VALLURI, V., AND DJERNAES, M. Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational), Oct. 2004.

[8]

DERI, L. nprobe - netflow/ipfix network probe. http://www.ntop.org/nProbe.html, Oct 2006. {Accessed 9 August 2010}.

[9]

DERI, L., AND SUIN, S. Effective traffic measurement using ntop. IEEE Communications Magazine (May 2000), 138-143.

Digital Library

[10]

DOUGHERTY, C. R. "Vulnerability Note VU#800113 multiple DNS implementations vulnerable to cache poisoning". http://www.kb.cert.org/vuls/id/800113, 2009. {Accessed 27 July 2010}.

[11]

FP7 PRISM PROJECT. PRIvacy-aware Secure Monitoring. http://www.fp7-prism.eu. {Accessed 6 August 2010}.

[12]

GATES, C., COLLINS, M., DUGGAN, M., KOMPANEK, A., AND THOMAS, M. More netflow tools for performance and security. In LISA '04: Proceedings of the 18th USENIX conference on System administration (Berkeley, CA, USA, 2004), USENIX Association, pp. 121-132.

Digital Library

[13]

HAZEL, P. PCRE - Perl Compatible Regular Expressions. http://www.pcre.org.

[14]

INTERNET ASSIGNED NUMBERS AUTHORITY. IP Flow Information Export (IPFIX) Information Elements. http://www.iana.org/assignments/ipfix/.

[15]

MILLER, D. softflowd - fast software netflow probe. http://www.mindrot.org/projects/softflowd, Oct 2006. {Accessed 9 August 2010}.

[16]

OPENDPI. http://www.opendpi.org. {Accessed 6 August 2010}.

[17]

QOSIENT, LLC. Argus: Auditing Network Activity. http://www.qosient.com/argus/. {Accessed 19 August 2010}.

[18]

QUITTEK, J., BRYANT, S., CLAISE, B., AITKEN, P., AND MEYER, J. Information Model for IP Flow Information Export. RFC 5102 (Proposed Standard), Jan. 2008.

[19]

ROSENBERG, J., SCHULZRINNE, H., CAMARILLO, G., JOHNSTON, A., PETERSON, J., SPARKS, R., HANDLEY, M., AND SCHOOLER, E. SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), June 2002. Updated by RFCs 3265, 3853, 4320, 4916, 5393, 5621, 5626, 5630.

[20]

SFLOW.ORG. sflow products - network equipment. http://www.sflow.org/products/network.php, 2010. {Accessed 9 August 2010}.

[21]

SHANNON, C., MOORE, D., AND CLAFFY, K. C. Beyond folklore: observations on fragmented traffic. IEEE/ACM Trans. Netw. 10, 6 (2002), 709-720.

Digital Library

[22]

SHANNON, C. E. A mathematical theory of communication. Bell System Technical Journal 27 (Jul and Oct 1948), 379-423, 623- 656.

[23]

STEENBERGEN, R. A. sflow - why you should use it and like it. In 39th Meeting of the North American Network Operator's Group (NANOG 39) (Feb 2007).

[24]

TRAMMELL, B., AND BOSCHI, E. Bidirectional Flow Export using IP Flow Information Export. RFC 5103 (Proposed Standard), Jan. 2008.

[25]

TRAMMELL, B., BOSCHI, E., MARK, L., ZSEBY, T., AND WAGNER, A. Specification of the IP Flow Information Export File Format. RFC 5655 (Proposed Standard), Oct. 2009.

[26]

TRAMMELL, B., AND GATES, C. NAF: the NetSA Aggregate Flow Tool Suite. In 20th USENIX Large Installation System Administration Conference (LISA '06) (Dec 2006), pp. 221-231.

Digital Library

Cited By

Dyer KCoull SShrimpton T(2015)MarionetteProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831167(367-382)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831167
Deri LMartinelli MCardigliano AVelasquez N(2014)Realtime high-speed network traffic monitoring using ntopngProceedings of the 28th USENIX conference on Large Installation System Administration10.5555/2717491.2717496(69-79)Online publication date: 9-Nov-2014
https://dl.acm.org/doi/10.5555/2717491.2717496
Dyer KCoull SRistenpart TShrimpton TSadeghi AGligor VYung M(2013)Protocol misidentification made easy with format-transforming encryptionProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516657(61-72)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516657
Show More Cited By

YAF: yet another flowmeter
1. Networks
  1. Network services

Recommendations

Keto Diet Cookbook: The Complete Vegetarian Keto Diet Cookbook for Everyday | Low-Carb, High-Fat Vegetarian Recipes for Beginners on the Ketogenic Diet
Evaluating TCP-friendliness in light of Concurrent Multipath Transfer

In prior work, a CMT protocol using SCTP multihoming (termed SCTP-based CMT) was proposed and investigated for improving application throughput. SCTP-based CMT was studied in (bottleneck-independent) wired networking scenarios with ns-2 simulations. ...
A concurrent solution for intra-cell flow path layouts and I/O point locations of cells in a cellular manufacturing system

In this paper, we study the I/O (Input/Output) point location problem and the intra-cell flow path layout problem of cells in a cellular manufacturing system. Traditional approaches have often solved these two problems as separate problems, despite they ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

LISA'10: Proceedings of the 24th international conference on Large installation system administration

November 2010

293 pages

Program Chair:
Rudi Van Drunen
Competa IT and Xlexit Technology, The Netherlands

Sponsors

Hewlett-Packard
ORACLE: ORACLE
USENIX Assoc: USENIX Assoc

In-Cooperation

SNIA
LOPSA

Publisher

USENIX Association

United States

Publication History

Published: 07 November 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dyer KCoull SShrimpton T(2015)MarionetteProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831167(367-382)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831167
Deri LMartinelli MCardigliano AVelasquez N(2014)Realtime high-speed network traffic monitoring using ntopngProceedings of the 28th USENIX conference on Large Installation System Administration10.5555/2717491.2717496(69-79)Online publication date: 9-Nov-2014
https://dl.acm.org/doi/10.5555/2717491.2717496
Dyer KCoull SRistenpart TShrimpton TSadeghi AGligor VYung M(2013)Protocol misidentification made easy with format-transforming encryptionProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516657(61-72)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516657
Papadogiannakis APolychronakis MMarkatos EPapagiannaki KGummadi KPartridge C(2013)ScapProceedings of the 2013 conference on Internet measurement conference10.1145/2504730.2504750(441-454)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1145/2504730.2504750
Santiago del Rio PRossi DGringoli FNava LSalgarelli LAracil JByers JKurose JMahajan RSnoeren A(2012)Wire-speed statistical classification of network traffic on commodity hardwareProceedings of the 2012 Internet Measurement Conference10.1145/2398776.2398784(65-72)Online publication date: 14-Nov-2012
https://dl.acm.org/doi/10.1145/2398776.2398784
Glatz EDimitropoulos XByers JKurose JMahajan RSnoeren A(2012)Classifying internet one-way trafficProceedings of the 2012 Internet Measurement Conference10.1145/2398776.2398781(37-50)Online publication date: 14-Nov-2012
https://dl.acm.org/doi/10.1145/2398776.2398781
Schmidt RSperotto ASadre RPras A(2012)Towards bandwidth estimation using flow-level measurementsProceedings of the 6th IFIP WG 6.6 international autonomous infrastructure, management, and security conference on Dependable Networks and Services10.1007/978-3-642-30633-4_18(127-138)Online publication date: 4-Jun-2012
https://dl.acm.org/doi/10.1007/978-3-642-30633-4_18
Trammell BBoschi EProcissi GCallegari CDorfinger PSchatzmann D(2011)Identifying skype traffic in a large-scale flow data repositoryProceedings of the Third international conference on Traffic monitoring and analysis10.5555/1986282.1986292(72-85)Online publication date: 27-Apr-2011
https://dl.acm.org/doi/10.5555/1986282.1986292

View Options

View options

Media

Figures

Other

Tables

View Table of Contents