OneAgent network connection monitoring
- Latest Dynatrace
- Reference
- 3-min read
- Published May 07, 2026
OneAgent version 1.337+
OneAgent network connection monitoring collects network flow data at regular intervals via its network module or NetTracer and stores it in Grail.
Each flow describes traffic between two endpoints:
- A server-side endpoint identified by an IP address and port
- A client-side endpoint identified by an IP address only
Unlike network metrics, which aggregate connection data per process, OneAgent network connection monitoring preserves individual connection details—including source and destination addresses, ports, packet counts, and RTT.
Collected data is stored as generic events in Grail in the default_network_flows bucket. These events don't trigger Davis problems, but can be used for supplemental analysis.
Supported platforms
- Linux
- Windows
- AIX
The network module used depends on the platform: the component collecting network data supports Linux, Windows, and AIX, while NetTracer is Linux-only and optimized for container workloads.
Settings
To configure network flow collection, go to Settings > Collect and capture > Infrastructure > Network connection monitoring and turn on Enable OneAgent network connection monitoring.
Configuration options include:
IP filter
The IP filter controls which connections are included based on the remote IP address.
- All (default): All connections are reported.
- Private traffic only: Only connections from private address space are reported (IPv4:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16; IPv6:fd00::/8). - Public traffic only: Only connections from globally routable addresses are reported.
- Custom inclusion: Only connections from listed addresses are reported. Specify addresses in comma-separated CIDR notation, for example:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. - Custom exclusion: All connections are reported except those from listed addresses. Specify addresses in comma-separated CIDR notation, for example:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Reported connections
The reported connections setting determines which connections are included based on their characteristics.
- All: All connections are reported.
- Critical connections (default): Only new connections with session timeout and existing connections that were reset are reported.
- Custom: Only connections exceeding specified thresholds are reported. You can configure thresholds for bytes transferred, connectivity (new sessions, reset sessions, timed-out sessions), retransmissions, and RTT.
If you don't see expected network flow data, verify that the Reported connections setting includes the connection types you want to monitor.
Aggregation
Over the aggregation interval, multiple sessions between the same endpoints are combined into a single flow record. For example, with a 1-minute interval, 10 connections from the same client to the same server IP and port produce one flow record with network_flow.tcp.sessions.new set to 10. Packet counts are summed and round-trip time (RTT) is averaged across the interval.
- Aggregation interval [min.]: How often network flow records are sent. Default: 1 minute. Increasing the interval (for example, to 5 minutes) reduces the number of records sent but also delays reporting.
- Rate limit: Maximum number of flow records sent per aggregation interval. Default: 100. Increasing the rate limit on busy servers improves visibility but ingests more events.
Query network flows
You can explore network flow data using DQL in 
Notebooks and 
Dashboards. All network flows collected by OneAgent share the same pipeline source identifier.
The following example retrieves all network flow records:
fetch events, bucket:{"default_network_flows"}
To filter by host, add a host filter:
fetch events, bucket:{"default_network_flows"}| filter dt.smartscape.host == toSmartscapeId("<host-entity-id>")
Replace <host-entity-id> with the entity ID of the host you want to analyze.
The following example retrieves the top hosts by total packets received:
fetch events, bucket:{"default_network_flows"}| summarize total_packets = sum(network_flow.packets.rx), by: {dt.smartscape.host}| sort total_packets desc| limit 10
To rank source IPs by outbound traffic volume:
fetch events, bucket:{"default_network_flows"}| summarize bytes_tx = sum(network_flow.bytes.tx), by: {network_flow.source.address}| sort bytes_tx desc| limit 25
To identify the busiest source-to-destination pairs by packet count:
fetch events, bucket:{"default_network_flows"}| summarize total_packets = sum(network_flow.packets.rx), by:{network_flow.source.address,network_flow.destination.address}| sort total_packets desc| limit 50
To find flows with the highest average round-trip time:
fetch events, bucket:{"default_network_flows"}| summarize avg_rtt = avg(network_flow.tcp.rtt) , by: {network_flow.source.address, network_flow.destination.address}| filter isNotNull(avg_rtt)| sort avg_rtt desc| limit 50
To see which destination ports carry the most flows:
fetch events, bucket:{"default_network_flows"}| summarize flows = count() , by: network_flow.destination.port| sort flows desc| limit 20
To narrow down flows that experienced session timeouts or resets:
fetch events, bucket:{"default_network_flows"}| filter network_flow.tcp.sessions.timeout > 0 or network_flow.tcp.sessions.reset > 0
To surface connections with the highest retransmission rates:
fetch events, bucket:{"default_network_flows"}| summarize { retrans_rx = sum(network_flow.packets.retransmitted.rx), retrans_tx = sum(network_flow.packets.retransmitted.tx),total_rx = sum(network_flow.packets.rx), total_tx = sum(network_flow.packets.tx)},by: {network_flow.source.address, network_flow.destination.address}| filterOut total_rx == 0 or total_tx == 0| fieldsAdd perc_rx = retrans_rx / total_rx, perc_tx = retrans_tx / total_tx,perc_retrans = (retrans_rx + retrans_tx) / (total_rx + total_tx)| sort perc_retrans desc
To rank source-destination pairs by number of new TCP connections established:
fetch events, bucket:{"default_network_flows"}| summarize new_connections = sum(network_flow.tcp.sessions.new), by:{network_flow.source.address,network_flow.destination.address}| sort new_connections desc| limit 50
Network flow attributes
Each network flow record contains the following attributes. Records also inherit host, process, and container resource attributes.
| Attribute | Type | Description |
|---|---|---|
| string | Agent that detected the flow. |
| string | Entity ID of the container. |
| string | Entity ID of the host. |
| string | Entity ID of the process. |
| timestamp | Flow end time. |
| timestamp | Flow start time. |
| long | Bytes received during the interval (direction: to process). |
| long | Bytes transmitted during the interval (direction: from process). |
| ipAddress | Destination IP address. By convention, destination is the TCP server (connection acceptor). |
| long | Destination port. By convention, destination port belongs to the TCP server (connection acceptor). |
| string | Whether the source IP address is the TCP client or server. |
| string | Transport protocol. |
| string | IP protocol version. |
| long | Packets received (direction: to process), used as the base for retransmission rate. |
| long | Packets sent (direction: from process), used as the base for retransmission rate. |
| long | Retransmitted packets during the interval (direction: to process). |
| long | Retransmitted packets during the interval (direction: from process). |
| long | Packets received during the interval (direction: to process). |
| long | Packets transmitted during the interval (direction: from process). |
| boolean | Whether the process is acting as a server in this flow. |
| ipAddress | Source IP address. By convention, source is the TCP client (connection initiator). |
| duration | Mean RTT [ms]. |
| duration | Mean RTT ack value [ms]. |
| long | New TCP sessions in the flow. |
| long | Reset (rejected) TCP sessions in the flow. |
| long | Timed-out TCP sessions in the flow. |
Connectivity metrics (sessions new, reset, timeout) are currently reported only for incoming sessions to the server port.
Communication between two processes on the same host, or between two containers on the same node, may produce two separate records.