NetFlow Monitoring

Overview

Use NetFlow Monitoring in Datadog to visualize and monitor your flow records from your NetFlow-enabled devices.

Installation

To use NetFlow Monitoring with Network Device Monitoring, ensure you are using the Agent version 7.45 or newer.

Note: Configuring metric collection from Network Device Monitoring is not a requirement for sending NetFlow data, although it is strongly recommended as this extra data can be used to enrich your flow records with information such as the device name, model, and vendor, as well as the inbound/outbound interface name.

Configuration

To configure your devices to send NetFlow, sFlow, or IPFIX traffic to the Agent NetFlow server, your devices must be configured to send traffic to the IP address that the Datadog Agent is installed on, specifically the flow_type and port.

Edit your datadog.yaml Agent configuration file to enable NetFlow:

network_devices:
  netflow:
    enabled: true
    listeners:
      - flow_type: netflow9   # choices: netflow5, netflow9, ipfix, sflow5
        port: 2055            # devices must send traffic to this port
      - flow_type: netflow5
        port: 2056
      - flow_type: ipfix
        port: 4739
      - flow_type: sflow5
        port: 6343

After saving your changes, restart the Agent.

Aggregation

The Datadog Agent automatically aggregates the received NetFlow data in order to limit the number of records sent to the platform while maintaining most of the information. By default there is a 5 minute aggregation interval, during which flow recordings which share the same identifying information (source and destination address and port, protocol, and so forth) will be aggregated together. Additionally, the Datadog Agent can detect ephemeral ports and remove them. As a result, you may see Flows with port:*.

Enrichment

Your NetFlow data is processed by the Datadog backend and are enriched with the available metadata from your devices and interfaces. Enrichment is based on the NetFlow exporter IP and the interface indexes. To disambiguate possible collisions between reused private IPs, you can configure a different namespace for each Agent configuration file (with the setting network_devices.namespace)

If the NetFlow exporter IP is one of the device IPs, but not the one configured on the SNMP integration, Datadog will attempt to locate the device that the exporter IP belongs to, and will enrich your NetFlow data with it is as long as the match is unique.

Visualization

You can find the NetFlow page on the Network Devices page.

NetFlow Page

This data is also available in Dashboards, Notebooks, and more for more precise queries and for correlating with other sources of data.

Notebook

Retention

NetFlow data is retained for 30 days by default.

Further Reading

Additional helpful documentation, links, and articles:

Using Profiles with Network Device MonitoringDOCUMENTATION more more Monitor NetFlow traffic data with DatadogBLOG more more Monitor and diagnose network performance issues with SNMP TrapsBLOG more more