Automic VaultAutomic Vault

brew

Install yaf with Homebrew

Yet another flowmeter: processes packet data from pcap(3). Version 2.19.3 via Homebrew; verified 2026-05-29.

install

Additional install commands

macOS

Homebrewverified ยท 100%
brew install yaf

local Homebrew formula metadata

overview

Package summary

Yet another flowmeter: processes packet data from pcap(3)

Commands and aliases

  • airdaemon
  • filedaemon
  • getFlowKeyHash
  • yaf
  • yafMeta2Pcap
  • yafcollect
  • yafscii

history

Project history and usage

YAF, Yet Another Flowmeter, is CERT NetSA's packet-to-flow sensor for turning live traffic or PCAP captures into bidirectional IPFIX flow records. In package-manager terms it is the flow-metering front end of a larger network-security toolchain rather than a general packet sniffer.

Project history

The NetSA documentation describes YAF as the data collection component of the CERT NetSA Security Suite. Its original purpose was experimental: tracking work in the IETF IPFIX working group, especially bidirectional flow representation, archival storage formats, structured export, and deep packet inspection fields.

A 2010 USENIX LISA paper by Christopher M. Inacio and Brian Trammell presented YAF as a reference implementation of an IPFIX metering and exporting process and as a platform for rapid deployment of new flow-meter capabilities. The modern NetSA site keeps both a stable 2.x documentation set and a 3.x pre-release line, showing that the tool remained maintained long after its research-prototype origins.

Adoption history

YAF adoption is tied to operational network monitoring, especially environments that already use SiLK, super_mediator, Analysis Pipeline, Mothra, or other IPFIX-compatible collectors. Its niche is converting high-volume packet observation into compact flow records that analysts can store, query, and correlate without preserving every packet payload.

How it is used

Common usage is to run `yaf` against a live interface, a pcap file, or a list of captures, export IPFIX to a collector, or write an IPFIX-based file for later processing. The documentation emphasizes flow building, DPI fields for protocols such as DNS, SSL, HTTP, and SMTP, and PCAP indexing workflows for retrospective analysis.

For package users, the important distinction is that YAF is not a packet-display tool like tcpdump or Wireshark. It is a sensor component that summarizes packet streams into flow data for downstream security analytics.

Why package nerds care

YAF is interesting to package nerds because it packages a research-grade IPFIX metering implementation as a Unix sensor daemon and CLI suite. It also sits at the boundary between standards work, security operations, and package-manager distribution: libpcap in, IPFIX and SiLK-style workflows out.

Timeline

  • 2006: The public YAF release history begins with the 0.1.0 series.
  • 2010: YAF was presented at USENIX LISA as Yet Another Flowmeter, a reference IPFIX metering and exporting implementation.
  • 2011: The release history records the YAF 2.0.0 line.
  • 2020s: The NetSA site documents YAF 2.x as stable and YAF 3.x as a pre-release line.

Related projects

  • SiLK, super_mediator, Analysis Pipeline, and Mothra are the NetSA tools most directly connected to YAF output.
  • libpcap and tcpdump are adjacent capture-layer tools, while IPFIX collectors are the protocol-level peers that consume YAF export streams.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for yaf. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 5 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
airdaemoncliglobal executable
filedaemoncliglobal executable
getFlowKeyHashcliglobal executable
yafcliglobal executable
yafMeta2Pcapcliglobal executable
yafcollectcliglobal executable
yafsciicliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.19.3
manager updated2026-05-29
local dataok
upstreamnot checked
latest detectednot detected

https://tools.netsa.cert.org/yaf/

install metadata

Package metadata

Package keybrew:yaf
Version2.19.3
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/yaf
Homepagehttps://tools.netsa.cert.org/yaf/
Upstream docshttps://tools.netsa.cert.org/yaf2
LicenseGPL-2.0-only
Source archivehttps://tools.netsa.cert.org/releases/yaf-2.19.3.tar.gz
Last updated2026-05-29T16:19:12Z
Pulseupdated
Dependenciesgettext, glib, libfixbuf, libtool, pcre2
Build dependenciespkgconf
Uses from macOSlibpcap
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameyaf
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment