Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
To use NetFlow Monitoring with Network Device Monitoring, ensure you are using the Agent version 7.45 or newer.
Note: Configuring metric collection from Network Device Monitoring is not a requirement for sending NetFlow data, although it is strongly recommended as this extra data can be used to enrich your flow records with information such as the device name, model, and vendor, as well as the inbound/outbound interface name.
To configure your devices to send NetFlow, jFlow, sFlow, or IPFIX traffic to the Agent NetFlow server, your devices must be configured to send traffic to the IP address that the Datadog Agent is installed on, specifically the flow_type and port.
Edit your datadog.yaml Agent configuration file to enable NetFlow:
network_devices:netflow:enabled:truelisteners:- flow_type: netflow9 # choices:netflow5, netflow9, ipfix, sflow5port:2055# devices need to be configured to the same port number- flow_type:netflow5port:2056- flow_type:ipfixport:4739- flow_type:sflow5port:6343## Set to true to enable reverse DNS enrichment of private source and destination IP addresses in NetFlow recordsreverse_dns_enrichment_enabled:false
The Datadog Agent automatically aggregates the data received into NetFlow to limit the number of records sent to the platform while maintaining most of the information. By default, flow recordings that have the same identifiers, such as source, destination address, port, and protocol, are aggregated together in five minute intervals. Additionally, the Datadog Agent can detect ephemeral ports and remove them. As a result, you may see Flows with port:*.
Your NetFlow data is processed by the Datadog backend and enriched with the available metadata from your devices and interfaces. Enrichment is based on the NetFlow exporter IP and the interface indexes. To disambiguate possible collisions between reused private IPs, you can configure a different namespace for each Agent configuration file (with the setting network_devices.namespace).
If the NetFlow exporter IP is one of the device IPs, but not the one configured on the SNMP integration, Datadog attempts to locate the device that the exporter IP belongs to, and enriches your NetFlow data with it is as long as the match is unique.
Datadog enriches IPs with public cloud provider service and region for IPv4 addresses, so you can filter for flow records from a specific service and region.
Datadog enriches ports in NetFlow with IANA (Internet Assigned Numbers Authority) data to resolve well known port mappings (such as Postgres on 5432 and HTTPS on 443). This can be seen when searching for source or destination application names on NetFlow.
You can also add your own custom enrichments to map ports and protocols to specific applications (for example, if a custom service runs on a specific port). This makes it easier for network engineers and their teams to interpret and query NetFlow data with human-readable names.
From the Configuration tab in NetFlow, click Add Enrichment to upload the CSV file containing your custom enrichments.
Enable Reverse DNS private IP enrichment to perform DNS lookups for hostnames associated with source or destination IP addresses. When enabled, the Agent conducts reverse DNS lookups on source and destination IPs within private address ranges, enriching NetFlow records with the corresponding hostnames.
By default, the Reverse DNS IP enrichment in your datadog.yaml file is disabled. To enable, see the Configuration section of this page.
Search for DNS in the Flow grouping of the facets section to locate flows associated with Reverse DNS IP enrichment:
Note: Reverse DNS entries are cached and subject to rate limiting to minimize DNS queries and reduce the load on DNS servers. For more configuration options, including modifying default caching and rate limiting, see the full configuration file.
You can access the data collected by NetFlow Monitoring on the NetFlow page. Hover over a flow from the list for additional information about hosts, pods, and containers, and access related network connections.
When creating a NetFlow monitor, you should consider the following fields with respect to the source IP or destination IP from the perspective of the device. These fields provide insights into network traffic patterns and help with optimizing performance and security.
The following fields represent characteristics of the network flow.
Field Name
Field Description
Direction
Indicates whether the flow is inbound or outbound.
Start Time
Timestamp of the first network packet between the source and destination IP addresses.
End Time
Timestamp of the last network packet between the source and destination IP addresses.
Ether Type
Type of Ethernet frame encapsulation (IPv4 or IPv6).
Flow Type
Type of NetFlow data format (IPFIX, sFlow5, NetFlow5, NetFlow9, or Unknown).
IP Protocol
Protocol used for communication (such as ICMP, TCP, or UDP).
Next Hop IP
IP address of the next hop in the network path.
TCP Flag
Union of all TCP flags observed over the life of the flow.
Bytes
Total number of bytes transferred.
Packets
Total number of packets transferred.
In addition to fields, you can also use out-of-the-box facets to start analyzing traffic patterns based on NetFlow destination and source IP addresses.
The domain associated with the Autonomous System (AS) to which the source IP belongs.
Source AS Name
The name of the Autonomous System (AS) to which the source IP belongs.
Source AS Number
The number assigned to the Autonomous System (AS) to which the source IP belongs.
Source AS Route
The route information associated with the Autonomous System (AS) to which the source IP belongs.
Source AS Type
The type of Autonomous System (AS) to which the source IP belongs (such as transit, customer, peer).
Source Application Name
The name of the application associated with the source IP.
Source City Name
The name of the city associated with the source IP.
Source Cloud Provider Name
The name of the cloud provider associated with the source IP.
Source Cloud Provider Region
The region of the cloud provider associated with the source IP.
Source Cloud Provider Service
The service provided by the cloud provider associated with the source IP.
Source Continent Code
The code representing the continent associated with the source IP.
Source Continent Name
The name of the continent associated with the source IP.
Source Country ISO Code
The ISO code representing the country associated with the source IP.
Source Country Name
The name of the country associated with the source IP.
Source IP
The source IP address.
Source Latitude
The latitude coordinate associated with the source IP.
Source Longitude
The longitude coordinate associated with the source IP.
Source MAC
The Media Access Control (MAC) address associated with the source IP.
Source Mask
The subnet mask associated with the source IP.
Source Port
The source port number.
Source Reverse DNS Hostname
The DNS hostname associated with the source IP.
Source Subdivision ISO Code
The ISO code representing the subdivision (such as state or province) associated with the source IP.
Source Subdivision Name
The name of the subdivision (such as state or province) associated with the source IP.
Source Timezone
The timezone associated with the source IP.
By monitoring these key fields and using facets to analyze NetFlow events, organizations can gain visibility into their network infrastructure, optimize performance, and improve security posture.
This data is also available in dashboards and notebooks, enabling precise queries and correlation with other data sources. When creating a dashboard with NetFlow data, select NetFlow as the source in the Graph your data section.
NetFlow’s sampling rate is taken into account in the computation of bytes and packets by default. The displayed values for bytes and packets are computed with the sampling rate applied.
Additionally, you can query for Bytes (Adjusted) (@adjusted_bytes) and Packets (Adjusted) (@adjusted_packets) in dashboards and notebooks to visualize them.
To visualize the raw bytes/packets (sampled) sent by your devices, you can query for Bytes (Sampled) (@bytes) and Packets (Sampled) (@packets) in dashboards and notebooks.
NetFlow packet drops can occur when there are a high number of NetFlow packets per second, typically greater than 50,000. The following steps can help identify and mitigate NetFlow packet drops:
Increase the number of NetFlow listeners by using a configuration similar to the following:
Datadog recommends setting the number of workers to match the number of CPU cores in your system:
Adjusting your system’s UDP queue length can help accommodate the higher volume of NetFlow packets. Increase the UDP receive buffer size to 25MB by executing the following commands:
