Network Flow Logs
Detect suspicious activity, troubleshoot network issues, and identify security risks with detailed traffic analysis for faster resolution and better protection
Overview
Traffic logs offer real-time visibility into network traffic on your Netmaker network, allowing you to monitor connections, analyze traffic patterns, and troubleshoot issues with detailed connection logs
PRO FEATURE
Traffic logs are available only on the Netmaker Business plan
ENABLING TRAFFIC LOGS
If Traffic Logs are not included in your plan, it must be enabled by the Netmaker team. To request activation:
Contact Form: https://www.netmaker.io/contact
Status: BETA
What are Traffic Logs?
Traffic Logs capture detailed information about network connections flowing through your Netmaker network. Each log entry records the source, destination, protocol, ports, traffic direction, and data volume for comprehensive network visibility.
Key Benefits
Real-time visibility into all network traffic
Troubleshoot connectivity issues with detailed connection data
Monitor traffic patterns and bandwidth usage
Identify suspicious activity or unauthorised connections
Understanding the Traffic Logs Interface
Global Insights View
Each traffic log entry displays detailed information about a network event.
Below is a breakdown of all components you'll see in a log entry:
Log Entry Components
Each traffic log entry displays detailed information about a network event:
Component
Description
Example
Event
Timestamp, end time, node name, and direction
9:03 AM, End: 9:03 AM, Node: inetgw, Inbound
Source
Origin of traffic (Node, User, External, etc.)
debian (node), 100.102.137.9:54618, [email protected]
Protocol & Port
Network protocol and destination port
TCP 443, UDP 53, ICMP
Destination
Target of traffic
inetgw (node), 140.82.113.26
Traffic
Data transferred (download/upload)
↓ 60 B, ↑ 40 B
Domain Visibility in Traffic Logs
Traffic Logs now include domain names for external destinations, making it easier to identify services and endpoints without relying solely on IP addresses.
This enhancement improves:
Readability of logs
Faster troubleshooting
Better security analysis
Instead of seeing only an IP address:
You may now see:
Example:
Before:
140.82.113.26:443After:
github.com 20.26.156.215:443
Figure: Traffic Logs showing domain names and addresses for external connections.
Component Details
Event Information:
Timestamp: Exact time the traffic event occurred (format:
HH:MM AM/PM)End Time: When the traffic event is completed (format:
End: HH:MM AM/PM)Node: The node that generated or received the traffic (format:
Node: [node-name])Direction: Traffic flow - Inbound (coming into node) or Outbound (leaving node)
Source Types:
Node: Internal network node (e.g.,
debian,inetgw)User: User devices (e.g.,
[email protected])Config Files: Configuration-related traffic
External: External IP addresses outside your network
Egress Route: Traffic through egress gateways
Protocol Types:
TCP - Transmission Control Protocol (reliable, connection-oriented)
UDP - User Datagram Protocol (fast, connectionless)
ICMP - Internet Control Message Protocol (network diagnostics)
Destination Types:
Node: Internal network node
User: User endpoint
Config Files: Configuration endpoints
External: External IP addresses (e.g.,
140.82.113.26)Egress Route: Egress gateway destinations
Traffic Volume Indicators:
↓ (Download): Data received by the source node
↑ (Upload): Data sent by the source node
Units: B (bytes), KiB (kibibytes), MiB (mebibytes)
Reading Traffic Log Entries
Example 1: Internal Node Communication (Inbound)
How to Read This:
Reported by the inetgw node
When: The event occurred at 9:51 AM and ended at 9:51 AM
Where: Traffic passed through the
inetgwnodeDirection: Inbound (coming into inetgw)
Source: The
debiannode from IP 100.102.137.9, port 44006Protocol: TCP on port 443 (HTTPS)
Destination: The
inetgwnode at IP 100.102.137.4, port 443Data Transfer: 60 bytes received (↓), 40 bytes sent (↑)
Interpretation: The debian node initiated a secure HTTPS connection to the inetgw gateway, receiving 60 bytes and sending 40 bytes of data. This is typical of a small API call or status check.
Example 2: Same Connection from Source Perspective (Outbound)
How to Read This:
Reported by the debian node
When: 9:51 AM (same event as Example 1)
Where: Traffic originated from the
debiannodeDirection: Outbound (leaving debian)
Source: The
debiannode at IP 100.102.137.9, port 44006Protocol: TCP on port 443 (HTTPS)
Destination: The
inetgwgateway at IP 100.102.137.4, port 443Data Transfer: 40 bytes received (↓), 60 bytes sent (↑)
Interpretation: This is the same connection as Example 1, but reported by the debian node. Notice how the traffic values are reversed (↓40B/↑60B vs ↓60B/↑40B)
Example 3: User Connection to External Service
How to Read This:
Reported by the inetgw node
When: Event started at 9:50 AM and ended at 9:51 AM
Who: User
[email protected]initiated the connectionWhere: Traffic routed through the
inetgwnode (gateway)Direction: Inbound through the gateway
Source: User at IP 100.102.137.21, port 38532
Protocol: TCP on port 443 (HTTPS)
Destination: External server at IP 34.160.111.145, port 443
Data Transfer: 2.36 KiB received (↓), 4.03 KiB sent (↑)
Interpretation: User [email protected] connected through the inetgw gateway to an external server on HTTPS. The user downloaded 2.36 KiB and uploaded 4.03 KiB, suggesting they sent more data than they received—typical of uploading data or submitting form content to an external service.
Common Traffic Patterns
Small Data Transfers (< 1 KiB)
What it means: Control messages, API calls, heartbeats, status checks
Examples:
↓ 60.00 (B) / ↑ 40.00 (B)
TCP port 443 connections with minimal data
Quick request/response patterns
Typical scenarios:
Health checks between nodes
Authentication requests
Configuration updates
DNS queries
Medium Data Transfers (1-100 KiB)
What it means: Web pages, API responses, small files
Examples:
↓ 4.33 (KiB) / ↑ 4.84 (KiB)
HTTP/HTTPS web page loads
JSON data exchanges
Typical scenarios:
Loading web dashboards
API data retrieval
Configuration file transfers
Log uploads
Large Data Transfers (> 100 KiB)
What it means: File transfers, media, backups
Examples:
↓ 2.5 (MiB) / ↑ 1.2 (MiB)
File downloads/uploads
Database syncs
Typical scenarios:
Software updates
Backup operations
Video streaming
Large file transfers
Using the Filter Feature
Click the "Filter" button at the top of the Traffic Logs panel
Select your filter criteria: Time Range, Protocol, Direction, Source, Destination Types
Apply filters to see refined results
Reset to defaults to return to full view
Data Volume Reference
Understanding Size Units
Bytes (B):
Range: 1 - 999 B
Typical for: Control messages, handshakes, small requests
Examples: TCP SYN packets, HTTP headers, status checks
Kibibytes (KiB):
1 KiB = 1,024 bytes
Range: 1 - 999 KiB
Typical for: Web pages, API responses, small files
Examples: HTML pages, JSON data, small images
Mebibytes (MiB):
1 MiB = 1,024 KiB = 1,048,576 bytes
Range: 1+ MiB
Typical for: Large files, media, backups
Examples: Videos, software updates, database dumps
Typical Traffic Volumes by Service
TCP Handshake
40-100 B
↓ 60 B / ↑ 40 B
DNS Query
50-150 B
↓ 120 B / ↑ 80 B
HTTP Header
200-800 B
↓ 500 B / ↑ 300 B
Small API Call
1-10 KiB
↓ 4.5 KiB / ↑ 2.1 KiB
Web Page
10-500 KiB
↓ 250 KiB / ↑ 15 KiB
Image
50 KiB - 5 MiB
↓ 1.2 MiB / ↑ 500 B
Video Stream
1-10+ MiB/sec
↓ 8 MiB / ↑ 100 KiB
Summary
Traffic Logs provides essential visibility into your network communications:
Real-time monitoring of all network traffic
Detailed information about each connection
Flexible filtering to find relevant events
Security monitoring to detect threats
Performance troubleshooting to identify issues
Compliance auditing to document activity
To get started: Please https://www.netmaker.io/contact
Last updated
Was this helpful?