QoF

Description:

QoF is a TCP-aware flow meter, available at http://github.com/britram/qof.

QoF (Quality of Flow) is an IPFIX Metering and Exporting process, designed for passive measurement of per-flow performance characteristics.

QoF is primarily intended to support research into passive measurement of performance metrics for TCP flows; however, it can also be used for general flow measurement, especially in environments where the deployment of technologies which inspect packet payload is restricted. QoF is a fork of YAF version 2.3.2, with the following major differences from the YAF codebase:

• Removal of all payload inspection code.

• Replacement of packet acquisition layer with WAND's libtrace.

• Replacement of most command line flags with a YAML-based configuration file, which allows implicit feature selection through direct specification of the information elements to appear in QoF's export templates.

• Support for new information elements focused on passive TCP performance measurement.

QoF is licensed under the GNU General Public License, Version 2.

Quick start:

To install QoF:

1. Make sure you’ve got QoF’s direct dependencies: libglib-2.0 (the GNOME C modernization layer) and libyaml and their headers. On Debian systems, install the libglib-2.0-dev andlibyaml-dev packages.
2. Download and install libfixbuf from CERT; version 1.2.0 required.
3. Download and install libtrace from WAND at the University of Waikato. On Debian systems, this is in the libtrace3-dev package. Building libtrace requires bison and flex headers, as well.
4. Install QoF. This works the same as it does everywhere: ./configure --prefix=/some/where && make && make install; if installing straight from the git working directory, use autogen.sh first. You may need the --with-libtrace flag to ./configure if not installed in a system path. If installed to the same prefix as libfixbuf, the autotools script should automatically find it.

To run QoF, writing to an IPFIX file:

qof —yaml yaml-file —in libtrace-uri —out ipfix-filename

The libtrace-uri for a PCAP file named foo.pcap would be pcapfile:foo.pcap. Note that libtrace supports compressed trace files natively (e.g. pcapfile:foo.pcap.gz); see the libtrace documentation for more.

There’s a sample yaml-file configuration file in the test directory. The most important configuration directive is template:, which lists the Information Elements which will be exported by YAF.

QoF includes a set of tools in Python for analyzing IPFIX output for research purposes; these are described in the GitHub wiki. 

New features supported by the mPlane project

The entirety of the feature set added to QoF since it was forked from YAF in November 2012 was added with the support of the mPlane project.

mPlane proxy interface

Proxy interface development is ongoing, pending the development of an mPlane to IPFIX Information Element bridge interface.

Official version

• Release 0.9.0 of 4 November 2013 is available here: qof-0.9.0.tar.gz. The manual is here: qof.pdf.
• Users of QoF should track the master branch at github: https://github.com/britram/qof