OneAgent network connection monitoring
- Latest Dynatrace
- Reference
- 3-min read
- Published May 07, 2026
OneAgent version 1.337+
OneAgent network connection monitoring collects network flow data at regular intervals via its network module or NetTracer and stores it in Grail.
Each flow describes traffic between two endpoints:
- A server-side endpoint identified by an IP address and port
- A client-side endpoint identified by an IP address only
Unlike network metrics, which aggregate connection data per process, OneAgent network connection monitoring preserves individual connection details—including source and destination addresses, ports, packet counts, and RTT.
Collected data is stored as generic events in Grail in the default_network_flows bucket. These events don't trigger Davis problems, but can be used for supplemental analysis.
Supported platforms
- Linux
- Windows
- AIX
The network module used depends on the platform: the component collecting network data supports Linux, Windows, and AIX, while NetTracer is Linux-only and optimized for container workloads.
Settings
To configure network flow collection, go to Settings > Collect and capture > Infrastructure > Network connection monitoring and turn on Enable OneAgent network connection monitoring.
Configuration options include:
IP filter
The IP filter controls which connections are included based on the remote IP address.
- All (default): All connections are reported.
- Private traffic only: Only connections from private address space are reported (IPv4:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16; IPv6:fd00::/8). - Public traffic only: Only connections from globally routable addresses are reported.
- Custom inclusion: Only connections from listed addresses are reported. Specify addresses in comma-separated CIDR notation, for example:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. - Custom exclusion: All connections are reported except those from listed addresses. Specify addresses in comma-separated CIDR notation, for example:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Reported connections
The reported connections setting determines which connections are included based on their characteristics.
- All: All connections are reported.
- Critical connections (default): Only new connections with session timeout and existing connections that were reset are reported.
- Custom: Only connections exceeding specified thresholds are reported. You can configure thresholds for bytes transferred, connectivity (new sessions, reset sessions, timed-out sessions), retransmissions, and RTT.
If you don't see expected network flow data, verify that the Reported connections setting includes the connection types you want to monitor.
Aggregation
Over the aggregation interval, multiple sessions between the same endpoints are combined into a single flow record. For example, with a 1-minute interval, 10 connections from the same client to the same server IP and port produce one flow record with network_flow.tcp.sessions.new set to 10. Packet counts are summed and round-trip time (RTT) is averaged across the interval.
- Aggregation interval [min.]: How often network flow records are sent. Default: 1 minute. Increasing the interval (for example, to 5 minutes) reduces the number of records sent but also delays reporting.
- Rate limit: Maximum number of flow records sent per aggregation interval. Default: 100. Increasing the rate limit on busy servers improves visibility but ingests more events.
Query network flows
You can explore network flow data using DQL in 
Notebooks and 
Dashboards. All network flows collected by OneAgent share the same pipeline source identifier.
The following example retrieves all network flow records:
fetch events, bucket:{"default_network_flows"}
To filter by host, add a host filter:
fetch events, bucket:{"default_network_flows"}| filter dt.smartscape.host == toSmartscapeId("<host-entity-id>")
Replace <host-entity-id> with the entity ID of the host you want to analyze.
The following example retrieves the top hosts by total packets received:
fetch events, bucket:{"default_network_flows"}| summarize total_packets = sum(network_flow.packets.rx), by: {dt.smartscape.host}| sort total_packets desc| limit 10
To rank source IPs by outbound traffic volume:
fetch events, bucket:{"default_network_flows"}| summarize bytes_tx = sum(network_flow.bytes.tx), by: {network_flow.source.address}| sort bytes_tx desc| limit 25
To identify the busiest source-to-destination pairs by packet count:
fetch events, bucket:{"default_network_flows"}| summarize total_packets = sum(network_flow.packets.rx), by:{network_flow.source.address,network_flow.destination.address}| sort total_packets desc| limit 50
To find flows with the highest average round-trip time:
fetch events, bucket:{"default_network_flows"}| summarize avg_rtt = avg(network_flow.tcp.rtt) , by: {network_flow.source.address, network_flow.destination.address}| filter isNotNull(avg_rtt)| sort avg_rtt desc| limit 50
To see which destination ports carry the most flows:
fetch events, bucket:{"default_network_flows"}| summarize flows = count() , by: network_flow.destination.port| sort flows desc| limit 20
To narrow down flows that experienced session timeouts or resets:
fetch events, bucket:{"default_network_flows"}| filter network_flow.tcp.sessions.timeout > 0 or network_flow.tcp.sessions.reset > 0
To surface connections with the highest retransmission rates:
fetch events, bucket:{"default_network_flows"}| summarize { retrans_rx = sum(network_flow.packets.retransmitted.rx), retrans_tx = sum(network_flow.packets.retransmitted.tx),total_rx = sum(network_flow.packets.rx), total_tx = sum(network_flow.packets.tx)},by: {network_flow.source.address, network_flow.destination.address}| filterOut total_rx == 0 or total_tx == 0| fieldsAdd perc_rx = retrans_rx / total_rx, perc_tx = retrans_tx / total_tx,perc_retrans = (retrans_rx + retrans_tx) / (total_rx + total_tx)| sort perc_retrans desc
To rank source-destination pairs by number of new TCP connections established:
fetch events, bucket:{"default_network_flows"}| summarize new_connections = sum(network_flow.tcp.sessions.new), by:{network_flow.source.address,network_flow.destination.address}| sort new_connections desc| limit 50
Network flow
Network flow fields
Fields relevant for network flows.
| Attribute | Type | Description | Examples |
|---|---|---|---|
network_flow.bytes.rx | long | experimental Number of bytes (octets) received during given interval, direction: to Process (PGI). | |
network_flow.bytes.tx | long | experimental Number of bytes (octets) transmitted during given interval, direction: from Process (PGI). | |
network_flow.destination.address | ipAddress | experimental Destination IP address. By convention, destination means TCP server (acceptor of the connection). | 192.33.1.2; 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
network_flow.destination.port | long | experimental Flow destination port. By convention, destination port means TCP server (acceptor of the connection). | 22; 8080 |
network_flow.network.transport | string | experimental Protocol | TCP; other; UDP |
network_flow.network.type | string | experimental IP protocol version. | IPV4 |
network_flow.packets.retransmitted.base.rx | long | experimental Number of packets received, used as the base for retransmission rate, direction: to Process (PGI). | |
network_flow.packets.retransmitted.base.tx | long | experimental Number of packets sent, used as the base for retransmission rate, direction: from Process (PGI). | |
network_flow.packets.retransmitted.rx | long | experimental Number of retransmitted packets during given interval, direction: to Process (PGI). | |
network_flow.packets.retransmitted.tx | long | experimental Number of retransmitted packets during given interval, direction: from Process (PGI). | |
network_flow.packets.rx | long | experimental Number of packets received during given interval, direction: to Process (PGI). | |
network_flow.packets.tx | long | experimental Number of packets transmitted during given interval, direction: from Process (PGI). | |
network_flow.process_is_server | boolean | experimental Indicates whether the entity (Process) is acting as a server in the network flow. | true; false |
network_flow.source.address | ipAddress | experimental Source IP address. By convention, source means TCP client (initiator of the connection). | 192.33.1.2; 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
network_flow.tcp.rtt | duration | experimental Mean RTT value [ms]. | |
network_flow.tcp.rtt.ack | duration | experimental Mean RTT ack value [ms]. | |
network_flow.tcp.sessions.new | long | experimental Number of new TCP sessions in the flow. | |
network_flow.tcp.sessions.reset | long | experimental Number of reset (rejected) TCP sessions in the flow. | |
network_flow.tcp.sessions.timeout | long | experimental Number of timed out TCP sessions in flow. |
network_flow.network.type has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
| Value | Description |
|---|---|
IPV4 | ipv4 |
IPV6 | ipv6 |
Connectivity metrics (sessions new, reset, timeout) are currently reported only for incoming sessions to the server port.
Communication between two processes on the same host, or between two containers on the same node, may produce two separate records.