Telemetry Data

Netify's metadata extraction engine transforms raw packet streams into actionable telemetry data. Traffic flows into Netify DPI on one side - structured, enriched metadata flows out on the other. This metadata includes:

Application Information
Protocol Information
Network Intelligence
Hostnames
IP Data
Network Fingerprints
Encryption and Ciphers
Bandwidth Statistics
Performance Statistics
Connection Tracking Data
Risk Analysis

Refer to the Cloudflare DoH example on this page to see a sample of the network metadata generated by Netify.

Application and Protocol Classification

Netify classifies traffic by both application and protocol, enabling policy enforcement and visibility beyond simple IP addresses and network ranges.

Network Intelligence

The Netify Intelligence Engine analyzes every network flow. Enriched metadata adds context to raw traffic, enabling detection of technologies, services, and behaviors in real time. In the example on this page, you can see in the intel JSON property that a DNS-over-HTTPS (DoH) server was automatically detected.

Extracted Hostnames

Using Netify's deep packet inspection engine, hostnames and protocol metadata are extracted from:

DNS
mDNS
HTTPS / SNI
QUIC
SSDP
and many more

Extracted hostnames and domains are matched against continuously updated signatures, allowing you to clearly see which services and applications are active on your network.

Encryption and Ciphers

Netify DPI extracts TLS versions and cipher suites directly from encrypted sessions - without decrypting payload data. This enables:

Fingerprinting of malicious or unauthorized applications
Detection of outdated or insecure encryption standards
Enforcement of encryption policies via firewall and quality of service integrations

Performance Statistics and KPIs

Netify tracks flow-level performance metrics and behavioral statistics to help identify abnormal traffic patterns, detect bandwidth abuse, and troubleshoot application performance issues.

Flexible Integration

The Telemetry Connectors page provides an overview of how you can send the telemetry data to logs, sockets, message queues and more. For a deeper technical dive, review the telemetry formats available from the agent.

Sample Telemetry from Netify DPI

{
  "app_ip_override": false,
  "category": {
    "application": 27,
    "domain": 0,
    "overlay": 0,
    "protocol": 22
  },
  "conntrack": {
    "id": 3184343337,
    "mark": 0,
    "reply_dst_ip": "192.168.4.44",
    "reply_dst_port": 34602,
    "reply_src_ip": "104.16.249.249",
    "reply_src_port": 443
  },
  "detected_application": 10299,
  "detected_application_name": "netify.cloudflare-dns",
  "detected_protocol": 196,
  "detected_protocol_name": "HTTP/S",
  "detection_guessed": false,
  "detection_packets": 6,
  "detection_updated": true,
  "dhc_hit": false,
  "digest": "3cc9aeec35824abf8d3e10b891b7db9ebb982d89",
  "fhc_hit": false,
  "first_seen_at": 1771527226726,
  "host_server_name": "cloudflare-dns.com",
  "intel": [
    {
      "category": "encrypted_dns_detection",
      "indicator": "dox_server",
      "indicator_driver": "dox_server",
      "label": "DoH/DoQ Server",
      "score": 30
    }
  ],
  "ip_dscp": 0,
  "ip_nat": true,
  "ip_protocol": 6,
  "ip_version": 4,
  "last_seen_at": 1771527226892,
  "local_bytes": 1513,
  "local_ip": "192.168.4.44",
  "local_mac": "f8:e9:03:01:69:13",
  "local_origin": true,
  "local_packets": 9,
  "local_port": 34602,
  "local_rate": 1513.0,
  "other_bytes": 4407,
  "other_ip": "104.16.249.249",
  "other_mac": "3c:7c:3f:a1:ed:58",
  "other_packets": 8,
  "other_port": 443,
  "other_rate": 4407.0,
  "other_type": "remote",
  "soft_dissector": false,
  "ssl": {
    "alpn": [
      "http/1.1"
    ],
    "cipher_suite": "0x1301",
    "client_ja4": "t13d1713ht_5b57614c22b0_eca864cca44a",
    "client_sni": "cloudflare-dns.com",
    "version": "0x0303"
  },
  "tcp": {
    "resets": 0,
    "retrans": 0,
    "seq_errors": 0
  },
  "total_bytes": 5920,
  "total_packets": 17,
  "vlan_id": 0
}