Network Device Flows

This dataset represents network flow data collected by Datadog’s Network Device Monitoring (NDM) using the NetFlow protocol (https://en.wikipedia.org/wiki/NetFlow). It provides visibility into network traffic patterns across routers, switches, firewalls, and other network infrastructure devices. Each event captures detailed flow information including source and destination endpoints, protocol details, packet/byte counts, geographic data, and device context to enable analysis of network performance, security, and utilization.

dd.network_device_flows

NetFlow Protocol (Wikipedia)

Network Device Monitoring Public Documentation

Monitoring Simple Network Management Protocol Public Documentation

Query Parameters

This dataset uses a polymorphic table function. You must specify parameters when querying.

ParameterTypeRequiredDescription
columnsarray<string>YesList of fields to return for each network flow (e.g., ’timestamp’, ‘@initiator.ip’, ‘@responder.ip’, ‘@bytes_read’, ‘@bytes_sent’, ‘@device.name’).
event_typestringNoOptional filter by flow protocol type (event_type => ’netflow9’ or ’netflow5’).
filterstringNoOptional Event Platform search string. For example: filter => ‘@device.namespace:production AND @ip_protocol:TCP’.
from_timestampstringNoLower time bound for the query; defaults to query context if omitted.
to_timestampstringNoUpper time bound for the query; defaults to query context if omitted.

Example Queries

-- Analyze high-volume TCP flows
SELECT * FROM dd.network_device_flows(
  columns => ARRAY[
    'timestamp',
    '@device.name',
    '@initiator.ip',
    '@responder.ip',
    '@packets_read',
    '@packets_sent',
    '@bytes_read',
    '@bytes_sent'
  ],
  event_type => 'netflow9',
  filter => '@ip_protocol:TCP AND @packets:>1000'
) AS (
  ts TIMESTAMP,
  device_name VARCHAR,
  initiator_ip VARCHAR,
  responder_ip VARCHAR,
  packets_read BIGINT,
  packets_sent BIGINT,
  bytes_read BIGINT,
  bytes_sent BIGINT
);

-- Geographic analysis of network flows
SELECT * FROM dd.network_device_flows(
  columns => ARRAY[
    'timestamp',
    '@device.namespace',
    '@source.geoip.country.name',
    '@destination.geoip.country.name',
    '@ip_protocol',
    '@bytes'
  ],
  filter => '@device.namespace:example_namespace'
) AS (
  ts TIMESTAMP,
  namespace VARCHAR,
  src_country VARCHAR,
  dst_country VARCHAR,
  protocol VARCHAR,
  byte_count BIGINT
);

Fields

TitleIDTypeData TypeDescription
TimestamptimestampcoretimestampTime when the flow event occurred (e.g., 1770987466281).
HosthostcorestringHostname of the NetFlow collector Agent (e.g., host1).
Packets@packetsevent_attributeint64Total number of packets in the flow (e.g., 1000).
Initiator Interface Index@initiator.interface.indexevent_attributeint64Network interface index for the flow initiator (e.g., 8).
Initiator Port@initiator.portevent_attributestringPort number used by the flow initiator (e.g., 12345).
Initiator Network Mask@initiator.maskevent_attributestringNetwork mask for the initiator IP address (e.g., 10.10.10.180/52).
Destination Application Name@destination.application_nameevent_attributestringApplication name associated with the destination (e.g., app_name).
IP Protocol@ip_protocolevent_attributestringNetwork protocol used in the flow (e.g., TCP).
Initiator IP Address@initiator.ipevent_attributestringIP address of the flow initiator (e.g., 180.1.1.2). Initiator and responder identify client vs server (one side is initiator, the other responder), so you can group by client/server or in-network vs out-of-network.
Packets Read@packets_readevent_attributeint64Number of packets from responder to initiator (e.g., 1173). Read = direction toward the initiator (e.g., data you read from a server).
Source IP Address@source.ipevent_attributestringSource IP address in the flow (e.g., 192.1.207.252).
Device Namespace@device.namespaceevent_attributestringNamespace identifier for the network device (e.g., namespace_name).
Packets Sent@packets_sentevent_attributeint64Number of packets from initiator to responder (e.g., 200). Sent = direction toward the responder (e.g., data you sent to a server).
Egress Interface Index@egress.interface.indexevent_attributeint64Network interface index for outbound traffic (e.g., 3).
Exporter IP Address@exporter.ipevent_attributestringIP address of the device exporting flow data (e.g., 10.200.10.123).
Device Name@device.nameevent_attributestringName of the network device generating the flow (e.g., example-swtch.example.router).
Source Application Name@source.application_nameevent_attributestringApplication name associated with the source (e.g., public-app).
Initiator Continent Code@initiator.geoip.continent.codeevent_attributestringGeographic continent code for the initiator IP (e.g., code).
Destination Longitude@destination.geoip.location.longitudeevent_attributefloat64Geographic longitude for the destination IP (e.g., -10.1234).
Source Country Name@source.geoip.country.nameevent_attributestringGeographic country name for the source IP (e.g., United States).
Initiator Longitude@initiator.geoip.location.longitudeevent_attributefloat64Geographic longitude for the initiator IP (e.g., -10.1234).
Responder Port@responder.portevent_attributestringPort number used by the flow responder (e.g., 120).
Source Subdivision Name@source.geoip.subdivision.nameevent_attributestringGeographic subdivision name for the source IP (e.g., Massachusetts).
Initiator City Name@initiator.geoip.city.nameevent_attributestringGeographic city name for the initiator IP (e.g., Cambridge).
Destination Latitude@destination.geoip.location.latitudeevent_attributefloat64Geographic latitude for the destination IP (e.g., 10.123).
Responder Longitude@responder.geoip.location.longitudeevent_attributefloat64Geographic longitude for the responder IP (e.g., -10.1234).
Source Continent Code@source.geoip.continent.codeevent_attributestringGeographic continent code for the source IP (e.g., code).
Initiator Application Name@initiator.application_nameevent_attributestringApplication name associated with the flow initiator (e.g., unknown).
Responder City Name@responder.geoip.city.nameevent_attributestringGeographic city name for the responder IP (e.g., Cambridge).
Device Vendor@device.vendorevent_attributestringVendor of the network device (e.g., aruba).
Initiator AS Number@initiator.geoip.as.numberevent_attributestringAutonomous System number for the initiator IP (e.g., AS1234).
Source Latitude@source.geoip.location.latitudeevent_attributefloat64Geographic latitude for the source IP (e.g., 10.1234).
Source City Name@source.geoip.city.nameevent_attributestringGeographic city name for the source IP (e.g., Cambridge).
Initiator AS Domain@initiator.geoip.as.domainevent_attributestringDomain name associated with the initiator's AS (e.g., domain.com).
Destination Port@destination.portevent_attributestringPort number used by the destination (e.g., 10).
Source MAC Address@source.macevent_attributestringMAC address of the source device (e.g., 00:00:00:00:00:00).
Responder IP Address@responder.ipevent_attributestringIP address of the flow responder (e.g., 110.1.234.567).
Responder AS Route@responder.geoip.as.routeevent_attributestringNetwork route associated with the responder's AS (e.g., 110.1.0.0/22).
Destination Subdivision Name@destination.geoip.subdivision.nameevent_attributestringGeographic subdivision name for the destination IP (e.g., Ohio).
Responder Continent Code@responder.geoip.continent.codeevent_attributestringGeographic continent code for the responder IP (e.g., code).
Initiator AS Name@initiator.geoip.as.nameevent_attributestringOrganization name for the initiator's AS (e.g., Apple Inc.).
Ingress Interface Name@ingress.interface.nameevent_attributestringName of the ingress network interface (e.g., GE0/0/0).
Source Subdivision ISO Code@source.geoip.subdivision.iso_codeevent_attributestringISO code for the source IP's subdivision (e.g., iso_code).
Source Reverse DNS Hostname@source.reverse_dns_hostnameevent_attributestringReverse DNS hostname for the source IP.
Destination AS Route@destination.geoip.as.routeevent_attributestringNetwork route associated with the destination's AS (e.g., 110.1.2.3/16).
Responder Reverse DNS Hostname@responder.reverse_dns_hostnameevent_attributestringReverse DNS hostname for the responder IP.
Responder Application Name@responder.application_nameevent_attributestringApplication name associated with the flow responder (e.g., public-app).
Bytes@bytesevent_attributeint64Total number of bytes transferred in the flow (e.g., 12345).
Bytes Read@bytes_readevent_attributeint64Number of bytes from responder to initiator (e.g., 12345). Read = direction toward the initiator (e.g., 1GB you read from Netflix).
Bytes Sent@bytes_sentevent_attributeint64Number of bytes from initiator to responder (e.g., 12345). Sent = direction toward the responder (e.g., 50KB you sent to a server for APIs/telemetry).
Destination Port Aggregationdestination_port_aggregationcorestringAggregation key for destination port analysis.
Destination Aggregationdestination_aggregationcorestringAggregation key for destination analysis.
Source Port Aggregationsource_port_aggregationcorestringAggregation key for source port analysis.
Source Aggregationsource_aggregationcorestringAggregation key for source analysis.
Protocol Aggregationprotocol_aggregationcorestringAggregation key for protocol analysis.
SNMP Profilesnmp_profiletagstringSNMP profile used for device monitoring (e.g., generic-device).
Device IDdevice_idtagstringUnique identifier for the network device.
SNMP Hostsnmp_hosttagstringHostname used for SNMP monitoring (e.g., example-swtch.example.router).
Device IPdevice_iptagstringIP address of the monitored network device (e.g., 10.100.12.123).
Event IDidcorestringA unique identifier for the event.
Discovery Timestampdiscovery_timestampcoreint64The time when Datadog first received the event (milliseconds since Unix epoch). May differ from timestamp if there was an ingestion delay.
Tiebreakertiebreakercoreint64A value used to establish deterministic ordering among events that share the same timestamp.
Ingest Sizeingest_size_in_bytescoreint64The size of the event payload in bytes at the time of ingestion, before any processing.