NetFlow & network traffic

The Network Traffic page (OBSERVE → NetFlow when the netflow feature is enabled) shows flows stored in your tenant database. Ingest flows via POST /api/netflow (see Data collection and edge collectors).

What you see

• Time range — Presets: 1h, 6h, 24h, 7d. All summary metrics and charts use the same window (summary.window in the API).
• Summary — Total flows, bytes, packets, and distinct protocols (aggregated over the window, not just the current page).
• Top talkers (analytics) — Group by source IP, destination IP, or protocol; backed by GET /api/netflow/top-talkers.
• Top destination ports — Bytes by dst_port for the window.
• Application distribution — Heuristic labels from destination port (HTTP, HTTPS, PostgreSQL, etc.), same logic as flow-row inference.
• Protocol breakdown — Flow counts by protocol.
• Bytes over time — Hourly sums from the database for the selected window.
• Flow table — Recent flows (paginated list; default limit 100 in the UI request).

API

• GET /api/netflow?from=&to=&protocol=&src_ip=&limit=&offset= — Returns flows, summary (including top_dest_ports, bytes_series, window), total. Defaults: to = now, from = 24 hours ago if omitted.
• GET /api/netflow/top-talkers — Aggregated groups (requires auth).

Prerequisites

• Tenant database with netflow_records populated.
• Plan/feature: netflow must be enabled for API and nav.