--- title: Network Device Flows description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Network Device Flows --- # Network Device Flows This dataset represents network flow data collected by Datadog's Network Device Monitoring (NDM) using the NetFlow protocol ([https://en.wikipedia.org/wiki/NetFlow)](https://en.wikipedia.org/wiki/NetFlow%29). It provides visibility into network traffic patterns across routers, switches, firewalls, and other network infrastructure devices. Each event captures detailed flow information including source and destination endpoints, protocol details, packet/byte counts, geographic data, and device context to enable analysis of network performance, security, and utilization. ``` dd.network_device_flows ``` NetFlow Protocol (Wikipedia) {% icon name="icon-external-link" /%} Network Device Monitoring Public Documentation {% icon name="icon-external-link" /%} Monitoring Simple Network Management Protocol Public Documentation {% icon name="icon-external-link" /%} ## Query Parameters This dataset uses a **polymorphic table function**. You must specify parameters when querying. | Parameter | Type | Required | Description | | ---------------- | --------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `columns` | `array` | Yes | List of fields to return for each network flow (e.g., 'timestamp', '@initiator.ip', '@responder.ip', '@bytes_read', '@bytes_sent', '@device.name'). | | `event_type` | `string` | No | Optional filter by flow protocol type (event_type => 'netflow9' or 'netflow5'). | | `filter` | `string` | No | Optional Event Platform search string. For example: filter => '@device.namespace:production AND @ip_protocol:TCP'. | | `from_timestamp` | `string` | No | Lower time bound for the query; defaults to query context if omitted. | | `to_timestamp` | `string` | No | Upper time bound for the query; defaults to query context if omitted. | ## Example Queries ```sql -- Analyze high-volume TCP flows SELECT * FROM dd.network_device_flows( columns => ARRAY[ 'timestamp', '@device.name', '@initiator.ip', '@responder.ip', '@packets_read', '@packets_sent', '@bytes_read', '@bytes_sent' ], event_type => 'netflow9', filter => '@ip_protocol:TCP AND @packets:>1000' ) AS ( ts TIMESTAMP, device_name VARCHAR, initiator_ip VARCHAR, responder_ip VARCHAR, packets_read BIGINT, packets_sent BIGINT, bytes_read BIGINT, bytes_sent BIGINT ); ``` ```sql -- Geographic analysis of network flows SELECT * FROM dd.network_device_flows( columns => ARRAY[ 'timestamp', '@device.namespace', '@source.geoip.country.name', '@destination.geoip.country.name', '@ip_protocol', '@bytes' ], filter => '@device.namespace:example_namespace' ) AS ( ts TIMESTAMP, namespace VARCHAR, src_country VARCHAR, dst_country VARCHAR, protocol VARCHAR, byte_count BIGINT ); ``` ## Fields | Title | ID | Type | Data Type | Description | | ------------------------------ | ------------------------------------- | --------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Timestamp | timestamp | core | timestamp | Time when the flow event occurred (e.g., 1770987466281). | | Host | host | core | string | Hostname of the NetFlow collector Agent (e.g., host1). | | Packets | @packets | event_attribute | int64 | Total number of packets in the flow (e.g., 1000). | | Initiator Interface Index | @initiator.interface.index | event_attribute | int64 | Network interface index for the flow initiator (e.g., 8). | | Initiator Port | @initiator.port | event_attribute | string | Port number used by the flow initiator (e.g., 12345). | | Initiator Network Mask | @initiator.mask | event_attribute | string | Network mask for the initiator IP address (e.g., 10.10.10.180/52). | | Destination Application Name | @destination.application_name | event_attribute | string | Application name associated with the destination (e.g., app_name). | | IP Protocol | @ip_protocol | event_attribute | string | Network protocol used in the flow (e.g., TCP). | | Initiator IP Address | @initiator.ip | event_attribute | string | IP address of the flow initiator (e.g., 180.1.1.2). Initiator and responder identify client vs server (one side is initiator, the other responder), so you can group by client/server or in-network vs out-of-network. | | Packets Read | @packets_read | event_attribute | int64 | Number of packets from responder to initiator (e.g., 1173). Read = direction toward the initiator (e.g., data you read from a server). | | Source IP Address | @source.ip | event_attribute | string | Source IP address in the flow (e.g., 192.1.207.252). | | Device Namespace | @device.namespace | event_attribute | string | Namespace identifier for the network device (e.g., namespace_name). | | Packets Sent | @packets_sent | event_attribute | int64 | Number of packets from initiator to responder (e.g., 200). Sent = direction toward the responder (e.g., data you sent to a server). | | Egress Interface Index | @egress.interface.index | event_attribute | int64 | Network interface index for outbound traffic (e.g., 3). | | Exporter IP Address | @exporter.ip | event_attribute | string | IP address of the device exporting flow data (e.g., 10.200.10.123). | | Device Name | @device.name | event_attribute | string | Name of the network device generating the flow (e.g., example-swtch.example.router). | | Source Application Name | @source.application_name | event_attribute | string | Application name associated with the source (e.g., public-app). | | Initiator Continent Code | @initiator.geoip.continent.code | event_attribute | string | Geographic continent code for the initiator IP (e.g., code). | | Destination Longitude | @destination.geoip.location.longitude | event_attribute | float64 | Geographic longitude for the destination IP (e.g., -10.1234). | | Source Country Name | @source.geoip.country.name | event_attribute | string | Geographic country name for the source IP (e.g., United States). | | Initiator Longitude | @initiator.geoip.location.longitude | event_attribute | float64 | Geographic longitude for the initiator IP (e.g., -10.1234). | | Responder Port | @responder.port | event_attribute | string | Port number used by the flow responder (e.g., 120). | | Source Subdivision Name | @source.geoip.subdivision.name | event_attribute | string | Geographic subdivision name for the source IP (e.g., Massachusetts). | | Initiator City Name | @initiator.geoip.city.name | event_attribute | string | Geographic city name for the initiator IP (e.g., Cambridge). | | Destination Latitude | @destination.geoip.location.latitude | event_attribute | float64 | Geographic latitude for the destination IP (e.g., 10.123). | | Responder Longitude | @responder.geoip.location.longitude | event_attribute | float64 | Geographic longitude for the responder IP (e.g., -10.1234). | | Source Continent Code | @source.geoip.continent.code | event_attribute | string | Geographic continent code for the source IP (e.g., code). | | Initiator Application Name | @initiator.application_name | event_attribute | string | Application name associated with the flow initiator (e.g., unknown). | | Responder City Name | @responder.geoip.city.name | event_attribute | string | Geographic city name for the responder IP (e.g., Cambridge). | | Device Vendor | @device.vendor | event_attribute | string | Vendor of the network device (e.g., aruba). | | Initiator AS Number | @initiator.geoip.as.number | event_attribute | string | Autonomous System number for the initiator IP (e.g., AS1234). | | Source Latitude | @source.geoip.location.latitude | event_attribute | float64 | Geographic latitude for the source IP (e.g., 10.1234). | | Source City Name | @source.geoip.city.name | event_attribute | string | Geographic city name for the source IP (e.g., Cambridge). | | Initiator AS Domain | @initiator.geoip.as.domain | event_attribute | string | Domain name associated with the initiator's AS (e.g., domain.com). | | Destination Port | @destination.port | event_attribute | string | Port number used by the destination (e.g., 10). | | Source MAC Address | @source.mac | event_attribute | string | MAC address of the source device (e.g., 00:00:00:00:00:00). | | Responder IP Address | @responder.ip | event_attribute | string | IP address of the flow responder (e.g., 110.1.234.567). | | Responder AS Route | @responder.geoip.as.route | event_attribute | string | Network route associated with the responder's AS (e.g., 110.1.0.0/22). | | Destination Subdivision Name | @destination.geoip.subdivision.name | event_attribute | string | Geographic subdivision name for the destination IP (e.g., Ohio). | | Responder Continent Code | @responder.geoip.continent.code | event_attribute | string | Geographic continent code for the responder IP (e.g., code). | | Initiator AS Name | @initiator.geoip.as.name | event_attribute | string | Organization name for the initiator's AS (e.g., Apple Inc.). | | Ingress Interface Name | @ingress.interface.name | event_attribute | string | Name of the ingress network interface (e.g., GE0/0/0). | | Source Subdivision ISO Code | @source.geoip.subdivision.iso_code | event_attribute | string | ISO code for the source IP's subdivision (e.g., iso_code). | | Source Reverse DNS Hostname | @source.reverse_dns_hostname | event_attribute | string | Reverse DNS hostname for the source IP. | | Destination AS Route | @destination.geoip.as.route | event_attribute | string | Network route associated with the destination's AS (e.g., 110.1.2.3/16). | | Responder Reverse DNS Hostname | @responder.reverse_dns_hostname | event_attribute | string | Reverse DNS hostname for the responder IP. | | Responder Application Name | @responder.application_name | event_attribute | string | Application name associated with the flow responder (e.g., public-app). | | Bytes | @bytes | event_attribute | int64 | Total number of bytes transferred in the flow (e.g., 12345). | | Bytes Read | @bytes_read | event_attribute | int64 | Number of bytes from responder to initiator (e.g., 12345). Read = direction toward the initiator (e.g., 1GB you read from Netflix). | | Bytes Sent | @bytes_sent | event_attribute | int64 | Number of bytes from initiator to responder (e.g., 12345). Sent = direction toward the responder (e.g., 50KB you sent to a server for APIs/telemetry). | | Destination Port Aggregation | destination_port_aggregation | core | string | Aggregation key for destination port analysis. | | Destination Aggregation | destination_aggregation | core | string | Aggregation key for destination analysis. | | Source Port Aggregation | source_port_aggregation | core | string | Aggregation key for source port analysis. | | Source Aggregation | source_aggregation | core | string | Aggregation key for source analysis. | | Protocol Aggregation | protocol_aggregation | core | string | Aggregation key for protocol analysis. | | SNMP Profile | snmp_profile | tag | string | SNMP profile used for device monitoring (e.g., generic-device). | | Device ID | device_id | tag | string | Unique identifier for the network device. | | SNMP Host | snmp_host | tag | string | Hostname used for SNMP monitoring (e.g., example-swtch.example.router). | | Device IP | device_ip | tag | string | IP address of the monitored network device (e.g., 10.100.12.123). | | Event ID | id | core | string | A unique identifier for the event. | | Discovery Timestamp | discovery_timestamp | core | int64 | The time when Datadog first received the event (milliseconds since Unix epoch). May differ from timestamp if there was an ingestion delay. | | Tiebreaker | tiebreaker | core | int64 | A value used to establish deterministic ordering among events that share the same timestamp. | | Ingest Size | ingest_size_in_bytes | core | int64 | The size of the event payload in bytes at the time of ingestion, before any processing. |