Network Device Monitoring is not supported for this site.
Overview
Use NetFlow Monitoring in Datadog to visualize and monitor your flow records from your NetFlow-enabled devices.
Installation
To use NetFlow Monitoring with Network Device Monitoring, ensure you are using the Agent version 7.45 or newer.
Note: Configuring metric collection from Network Device Monitoring is not a requirement for sending NetFlow data, although it is strongly recommended as this extra data can be used to enrich your flow records with information such as the device name, model, and vendor, as well as the inbound/outbound interface name.
Configuration
To configure your devices to send NetFlow, jFlow, sFlow, or IPFIX traffic to the Agent NetFlow server, your devices must be configured to send traffic to the IP address that the Datadog Agent is installed on, specifically the flow_type and port.
Edit your datadog.yaml Agent configuration file to enable NetFlow:
network_devices:
netflow:
enabled: true
listeners:
- flow_type: netflow9 # choices: netflow5, netflow9, ipfix, sflow5
port: 2055 # devices must send traffic to this port
- flow_type: netflow5
port: 2056
- flow_type: ipfix
port: 4739
- flow_type: sflow5
port: 6343
After saving your changes, restart the Agent.
Aggregation
The Datadog Agent automatically aggregates the received NetFlow data in order to limit the number of records sent to the platform while maintaining most of the information. By default there is a five-minute aggregation interval, during which flow recordings which share the same identifying information (source and destination address and port, protocol, and so forth) are aggregated together. Additionally, the Datadog Agent can detect ephemeral ports and remove them. As a result, you may see Flows with port:*.
Enrichment
Your NetFlow data is processed by the Datadog backend and enriched with the available metadata from your devices and interfaces. Enrichment is based on the NetFlow exporter IP and the interface indexes. To disambiguate possible collisions between reused private IPs, you can configure a different namespace for each Agent configuration file (with the setting network_devices.namespace).
If the NetFlow exporter IP is one of the device IPs, but not the one configured on the SNMP integration, Datadog attempts to locate the device that the exporter IP belongs to, and enriches your NetFlow data with it is as long as the match is unique.
Cloud provider IP enrichment
Datadog enriches IPs with public cloud provider service and region for IPv4 addresses, so you can filter for flow records from a specific service and region.
Port enrichment
Datadog enriches ports in NetFlow with IANA (Internet Assigned Numbers Authority) data to resolve well known port mappings (such as Postgres on 5432 and HTTPS on 443). This can be seen when searching for source or destination application names on NetFlow.
Custom port enrichment
You can also add your own custom enrichments to map ports and protocols to specific applications (for example, if a custom service runs on a specific port). This makes it easier for network engineers and their teams to interpret and query NetFlow data with human-readable names.
From the Configuration tab in NetFlow, click Add Enrichment to upload the CSV file containing your custom enrichments.
Visualization
You can find the NetFlow page on the Network Devices page.
This data is also available in Dashboards, Notebooks, and more for more precise queries and for correlating with other sources of data.
Retention
NetFlow data is retained for 30 days by default.
Further Reading
Additional helpful documentation, links, and articles:
