Network Monitoring

This dataset represents network traffic data collected by Datadog Cloud Network Monitoring (CNM). It provides visibility into network traffic between services, containers, availability zones, and any other tag in Datadog. Connection data at the IP, port, and PID levels is aggregated into application-layer dependencies between client and server endpoints. This allows to pinpoint unexpected or latent service dependencies, optimize costly cross-regional or multi-cloud communication, identify outages of cloud provider regions and third-party tools, and troubleshoot connectivity issues.

Note: This dataset can also be queried using the alias dd.network_flows. This dataset is distinct from dd.network_device_flows, which is a separate Datadog product.

dd.network

Cloud Network Monitoring Public Documentation

Network Monitoring Public Documentation

Query Parameters

This dataset uses a polymorphic table function. You must specify parameters when querying.

ParameterTypeRequiredDescription
columnsarray<string>YesList of fields to return for each network flow (e.g., ’timestamp’, ’network.client.ip’, ’network.server.ip’).
filterstringNoOptional EVP search string. For example: filter => ’network.transport:tcp AND network.server.port:443'.
from_timestampstringNoLower time bound for the query; defaults to query context if omitted.
to_timestampstringNoUpper time bound for the query; defaults to query context if omitted.

Example Queries

-- Fetch recent network flows between services
SELECT * FROM dd.network(
  columns => ARRAY[
    'timestamp',
    'network.client.ip',
    'network.server.ip',
    'network.server.port',
    'network.transport',
    'network.bytes_read',
    'network.bytes_written',
    'network.rtt_avg_ns'
  ],
  filter => 'network.transport:tcp AND network.server.port:443'
) AS (
  ts TIMESTAMP,
  client_ip VARCHAR,
  server_ip VARCHAR,
  server_port DOUBLE,
  transport VARCHAR,
  bytes_read DOUBLE,
  bytes_written DOUBLE,
  rtt_avg_ns DOUBLE
);

Fields

TitleIDTypeData TypeDescription
TimestamptimestampcoretimestampTime the network flow event was recorded in nanoseconds since epoch (e.g., 1765640709000000000).
Flow IDidcorestringUnique identifier for the network flow record (e.g., 'AZsYYyOIAAACAAAANLzbc30c').
SourcesourcecorestringData source identifier (e.g., 'network').
Event Typeevent_typecorestringType of network event (e.g., 'layer4-v2').
Scope Namescope_namecorestringScope or data source name for the flow (e.g., 'netflow-search-v2').
Transport Protocolnetwork.transportcorestringTransport layer protocol (e.g., 'tcp', 'udp').
IP Familynetwork.familycorestringIP address family (e.g., 'v4', 'v6').
Region Communicationnetwork.region_communicationcorestringType of regional communication (e.g., 'intra' for same region).
Client IPnetwork.client.ipcorestringIP address of the client endpoint (e.g., '10.132.107.224').
Client IP Typenetwork.client.ip_typecorestringType of client IP address (e.g., 'private', 'public').
Client Hostnetwork.client.hostcorestringHostname of the client (e.g., 'i-07b6f03c87e57f2fc').
Client Portnetwork.client.portcoreint64Source port of the client connection (e.g., 36356).
Client Port Countnetwork.client.port_countcoreint64Number of distinct client ports aggregated in this flow (e.g., 1).
Server IPnetwork.server.ipcorestringIP address of the server endpoint (e.g., '10.132.72.96').
Server IP Typenetwork.server.ip_typecorestringType of server IP address (e.g., 'private', 'public').
Server Hostnetwork.server.hostcorestringHostname of the server (e.g., 'i-024a9a501215f3a2d').
Server Portnetwork.server.portcoreint64Destination port of the server (e.g., 8443).
Server Port Countnetwork.server.port_countcoreint64Number of distinct server ports aggregated in this flow (e.g., 1).
Server PID Countnetwork.server.pid_countcoreint64Number of distinct server PIDs aggregated in this flow (e.g., 1).
Bytes Readnetwork.bytes_readcoreint64Total bytes read by the client from the server (e.g., 24).
Bytes Writtennetwork.bytes_writtencoreint64Total bytes written by the client to the server (e.g., 88).
Packets Sentnetwork.packets_sentcoreint64Number of packets sent by the client (e.g., 9).
Packets Receivednetwork.packets_receivedcoreint64Number of packets received by the client (e.g., 8).
Server Bytes Readnetwork.server.bytes_readcoreint64Total bytes read by the server from the client (e.g., 88).
Server Bytes Writtennetwork.server.bytes_writtencoreint64Total bytes written by the server to the client (e.g., 24).
Server Packets Sentnetwork.server.packets_sentcoreint64Number of packets sent by the server (e.g., 8).
Server Packets Receivednetwork.server.packets_receivedcoreint64Number of packets received by the server (e.g., 9).
RTT Average (ns)network.rtt_avg_nscoreint64Average round-trip time in nanoseconds (e.g., 6542000).
RTT Countnetwork.rtt_countcoreint64Number of RTT samples collected (e.g., 1).
Server RTT (microseconds)network.server.rttcoreint64Server-side round-trip time in microseconds (e.g., 6542).
Server RTT Average (ns)network.server.rtt_avg_nscoreint64Server-side average round-trip time in nanoseconds (e.g., 6542000).
TCP Closednetwork.tcp_closedcoreint64Number of closed TCP connections (e.g., 1).
TCP Reset Percentnetwork.tcp_reset_percentcorefloat64Percentage of connections that were reset (e.g., 0).
TCP Refusal Percentnetwork.tcp_refusal_percentcorefloat64Percentage of connections that were refused (e.g., 0).
TCP Timeoutsnetwork.tcp_timeoutscoreint64Number of TCP connection timeouts (e.g., 0).
TCP Timeout Percentnetwork.tcp_timeout_percentcorefloat64Percentage of connections that timed out (e.g., 0).
TCP Cancelednetwork.tcp_canceledcoreint64Number of canceled TCP connections (e.g., 0).
TCP Canceled Percentnetwork.tcp_canceled_percentcorefloat64Percentage of connections that were canceled (e.g., 0).
TCP Host Unreachablenetwork.tcp_host_unreachablecoreint64Number of host unreachable errors (e.g., 0).
Server TCP Timeoutsnetwork.server.tcp_timeoutscoreint64Number of server-side TCP connection timeouts (e.g., 0).
Server TCP Host Unreachablenetwork.server.tcp_host_unreachablecoreint64Number of server-side host unreachable errors (e.g., 0).
Client TCP Establishednetwork.client.tcp_establishedcoreint64Number of client-side established TCP connections (e.g., 1).
Client TCP Resetsnetwork.client.tcp_resetscoreint64Number of client-side TCP connection resets (e.g., 0).
Client TCP Reset Percentnetwork.client.tcp_reset_percentcorefloat64Percentage of client-side connections that were reset (e.g., 0).
Client TCP Refusalsnetwork.client.tcp_refusalscoreint64Number of client-side TCP connection refusals (e.g., 0).
Client TCP Timeoutsnetwork.client.tcp_timeoutscoreint64Number of client-side TCP connection timeouts (e.g., 0).
Intra Regionintra_regiontagstringWhether client and server are in the same region (e.g., 'unknown').
Intra Availability Zoneintra_availability_zonetagstringWhether client and server are in the same availability zone (e.g., 'true').
Client Serviceclient_servicetagstringService name of the client (e.g., 'my-service').
Server Serviceserver_servicetagstringService name of the server.
Client Environmentclient_envtagstringEnvironment of the client (e.g., 'staging').
Server Environmentserver_envtagstringEnvironment of the server (e.g., 'staging').
Client Accountclient_accounttagstringCloud account of the client (e.g., 'staging').
Server Accountserver_accounttagstringCloud account of the server (e.g., 'staging').
Client AWS Accountclient_aws_accounttagstringAWS account ID of the client.
Security Group Evaluationsecurity_group_evaluationtagstringResult of security group evaluation (e.g., 'allowed', 'unknown').
TLS Cipher Suitetls_cipher_suitetagstringTLS cipher suite used (e.g., 'tls_kds_123_gcm_sha256').
Client Hostclient_hosttagstringClient host identifier.
Server Hostserver_hosttagstringServer host identifier.
Server ADP Enabledserver_adp_enabledtagstringWhether Agent Data Pipeline is enabled on the server.
Server Gateway IDserver_gateway_idtagstringId of the gateway.
Server Gateway Typeserver_gateway_typetagstringType of the server gateway (e.g., aws_vpc_endpoint).
Server Kubernetes Cluster Nameserver_kube_cluster_nametagstringKubernetes cluster name of the server.
Server Kubernetes Nodeserver_kube_nodetagstringKubernetes node of the server.
Server Kubernetes Node Roleserver_kube_node_roletagstringKubernetes node role of the server.
Server Kubernetes Container Nameserver_kube_container_nametagstringKubernetes container name of the server.
Server Kubernetes Namespaceserver_kube_namespacetagstringKubernetes namespace of the server.
Server Kubernetes Owner Reference Kindserver_kube_ownerref_kindtagstringKubernetes owner reference kind of the server.
Server Kubernetes Owner Reference Nameserver_kube_ownerref_nametagstringKubernetes owner reference name of the server.
Server Kubernetes QoSserver_kube_qostagstringKubernetes Quality of Service class of the server.
Server Kubernetes Serviceserver_kube_servicetagstringKubernetes service of the server.
Server Kubernetes Deploymentserver_kube_deploymenttagstringKubernetes deployment of the server.
Server Kubernetes Replica Setserver_kube_replica_settagstringKubernetes replica set of the server.
Server Kubernetes Priority Classserver_kube_priority_classtagstringKubernetes priority class of the server (e.g., cluster-dns-critical).
Server Kubernetes Daemon Setserver_kube_daemon_settagstringKubernetes daemon set of the server.
Server Kubernetes Stateful Setserver_kube_stateful_settagstringKubernetes stateful set of the server.
Server Kubernetes App Nameserver_kube_app_nametagstringKubernetes app name of the server.
Server Kubernetes App Instanceserver_kube_app_instancetagstringKubernetes app instance of the server.
Server Kubernetes App Managed Byserver_kube_app_managed_bytagstringKubernetes app managed by label of the server.
Server Kubernetes App Componentserver_kube_app_componenttagstringKubernetes app component of the server.
Server Kubernetes App Part Ofserver_kube_app_part_oftagstringKubernetes app part of label of the server.
Server Kubernetes App Versionserver_kube_app_versiontagstringKubernetes app version of the server.
Server Kubernetes Autoscaler Kindserver_kube_autoscaler_kindtagstringKubernetes autoscaler kind of the server.
Client Kubernetes Cluster Nameclient_kube_cluster_nametagstringKubernetes cluster name of the client.
Client Kubernetes Nodeclient_kube_nodetagstringKubernetes node of the client.
Client Kubernetes Node Roleclient_kube_node_roletagstringKubernetes node role of the client.
Client Kubernetes Container Nameclient_kube_container_nametagstringKubernetes container name of the client.
Client Kubernetes Namespaceclient_kube_namespacetagstringNamespaces help logical separation of resources within a single cluster.
Client Kubernetes Owner Reference Kindclient_kube_ownerref_kindtagstringKubernetes owner reference kind of the client (e.g., replicaset).
Client Kubernetes Owner Reference Nameclient_kube_ownerref_nametagstringKubernetes owner reference name of the client.
Client Kubernetes QoSclient_kube_qostagstringKubernetes Quality of Service class of the client (e.g., burstable).
Client Kubernetes Serviceclient_kube_servicetagstringKubernetes service of the client.
Client Kubernetes Priority Classclient_kube_priority_classtagstringKubernetes priority class of the client (e.g., node-local-dns-critical).
Client Kubernetes Deploymentclient_kube_deploymenttagstringKubernetes deployment of the client.
Client Kubernetes Replica Setclient_kube_replica_settagstringKubernetes replica set of the client.
Client Kubernetes Daemon Setclient_kube_daemon_settagstringKubernetes daemon set of the client.
Client Kubernetes App Instanceclient_kube_app_instancetagstringKubernetes app instance of the client.
Client Kubernetes App Nameclient_kube_app_nametagstringKubernetes app name of the client.
Client Kubernetes App Managed Byclient_kube_app_managed_bytagstringKubernetes app managed by label of the client.
Client Kubernetes App Componentclient_kube_app_componenttagstringKubernetes app component of the client.
Client Kubernetes App Part Ofclient_kube_app_part_oftagstringKubernetes app part of label of the client.
Client Kubernetes Stateful Setclient_kube_stateful_settagstringKubernetes stateful set of the client.
Client Kubernetes App Versionclient_kube_app_versiontagstringKubernetes app version of the client.
Client Kubernetes Autoscaler Kindclient_kube_autoscaler_kindtagstringKubernetes autoscaler kind of the client.
Client Kubernetes CronJobclient_kube_cronjobtagstringKubernetes cron job of the client.
Client Kubernetes Distributionclient_kube_distributiontagstringKubernetes distribution of the client.
Client Kubernetes Jobclient_kube_jobtagstringKubernetes job of the client.
Client Kubernetes Runtime Classclient_kube_runtime_classtagstringKubernetes runtime class of the client.