DataDog · smola · Apr 27, 2026
@@ -370,6 +370,9 @@ public AgentSpan onRequest(
       } else {
         span.setTag(Tags.PEER_HOST_IPV4, peerIp);
       }
+      if (clientIpResolverEnabled) {
+        span.setTag(Tags.NETWORK_CLIENT_IP, peerIp);
+      }
     }
     setPeerPort(span, peerPort);
     Flow<Void> flow = callIGCallbackAddressAndPort(span, peerIp, peerPort, inferredAddressStr);

@@ -218,6 +218,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     1 * this.span.setTag(Tags.HTTP_FORWARDED_HOST, "somehost")
     if (conn?.peerIp) {
       1 * this.span.setTag(ipv4 ? Tags.PEER_HOST_IPV4 : Tags.PEER_HOST_IPV6, conn.peerIp)
+      1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, conn.peerIp)
     }
     if (conn?.ip) {
       1 * this.span.setTag(Tags.HTTP_CLIENT_IP, conn.ip)
@@ -253,6 +254,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
 
     then:
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, result)
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, peerIpAddr)
 
     where:
     headerIpAddr | peerIpAddr  | result
@@ -277,6 +279,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec disables header collection and ip address resolution'() {
@@ -294,6 +297,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     0 * extracted.getForwarded()
     0 * span.setTag(Tags.HTTP_FORWARDED, _)
     0 * this.span.setTag(Tags.HTTP_CLIENT_IP, _)
+    0 * this.span.setTag(Tags.NETWORK_CLIENT_IP, _)
   }
 
   void 'disabling appsec but enabling client_ip_without_appsec enables header collection and ip address resolution'() {
@@ -313,6 +317,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     2 * extracted.getXForwardedFor() >> '2.3.4.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '2.3.4.5')
     1 * this.span.setTag(Tags.HTTP_FORWARDED_IP, '2.3.4.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
 
     // Forwarded doesn't participate in client ip resolution anymore
     1 * extracted.getForwarded() >> 'for=9.9.9.9'
@@ -333,6 +338,7 @@ class HttpServerDecoratorTest extends ServerDecoratorTest {
     then:
     1 * extracted.getCustomIpHeader() >> '5.5.5.5'
     1 * this.span.setTag(Tags.HTTP_CLIENT_IP, '5.5.5.5')
+    1 * this.span.setTag(Tags.NETWORK_CLIENT_IP, '4.4.4.4')
   }
 
   def "test onResponse"() {

@@ -986,9 +986,6 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
         span.setTag("appsec.event", true);
 
-        String peerAddress = ctx.getPeerAddress();
-        span.setTag("network.client.ip", peerAddress);
-
         // Reflect client_ip as actor.ip for backward compatibility
         Object clientIp = tags.get(Tags.HTTP_CLIENT_IP);
         if (clientIp != null) {

@@ -189,12 +189,10 @@ class GatewayBridgeSpecification extends DDSpecification {
     then:
     1 * spanInfo.getTags() >> TagMap.fromMap(['http.client_ip': '1.1.1.1'])
     1 * mockAppSecCtx.transferCollectedEvents() >> [event]
-    1 * mockAppSecCtx.peerAddress >> '2001::1'
     1 * mockAppSecCtx.close()
     1 * spanInfo.setMetric("_dd.appsec.enabled", 1)
     1 * spanInfo.setTag("_dd.runtime_family", "jvm")
     1 * spanInfo.setTag('appsec.event', true)
-    1 * spanInfo.setTag('network.client.ip', '2001::1')
     1 * spanInfo.setTag('actor.ip', '1.1.1.1')
     1 * traceSegment.setDataTop('appsec', new AppSecEventWrapper([event]))
     1 * mockAppSecCtx.isWafBlocked()

@@ -296,6 +296,11 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     true
   }
 
+  /** Some frameworks (incorrectly) expose the forwarded header as the request peer address. */
+  boolean forwardedIpAsPeerInformation() {
+    false
+  }
+
   boolean hasExtraErrorInformation() {
     false
   }
@@ -2466,6 +2471,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     boolean hasPeerInformation = hasPeerInformation()
     boolean hasPeerPort = hasPeerPort()
     boolean hasForwardedIP = hasForwardedIP()
+    boolean useForwardedIpAsPeerInformation = forwardedIpAsPeerInformation()
     def expectedExtraServerTags = expectedExtraServerTags(endpoint)
     def expectedStatus = expectedStatus(endpoint)
     def expectedQueryTag = expectedQueryTag(endpoint)
@@ -2490,29 +2496,43 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
           if (hasPeerPort) {
             "$Tags.PEER_PORT" Integer
           }
+          def peerHostTag = Tags.PEER_HOST_IPV4
+          def expectedPeerIp = "127.0.0.1"
           if (span.getTag(Tags.PEER_HOST_IPV6) != null) {
-            "$Tags.PEER_HOST_IPV6" {
-              it == "0:0:0:0:0:0:0:1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-            "$Tags.HTTP_CLIENT_IP" {
-              it == "0:0:0:0:0:0:0:1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-          } else {
-            "$Tags.PEER_HOST_IPV4" {
-              it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
-            "$Tags.HTTP_CLIENT_IP" {
-              it == "127.0.0.1" || (endpoint == FORWARDED && it == endpoint.body)
-            }
+            peerHostTag = Tags.PEER_HOST_IPV6
+            expectedPeerIp = "0:0:0:0:0:0:0:1"
+          }
+          // Special-case for the FORWARDED endpoint, which is exercised by the
+          // "test forwarded request" feature in this class. That test sends a
+          // GET /forwarded request with an `X-Forwarded-For: 1.2.3.4` header.
+          // Some frameworks (e.g. Dropwizard, Play 2.3/2.5 via
+          // `request.remoteAddress()`) substitute the forwarded IP into their
+          // remote-address API, so the peer/network IP tags become 1.2.3.4
+          // instead of the actual TCP peer (loopback). Frameworks with that
+          // behaviour opt in via `forwardedIpAsPeerInformation()`.
+          // FIXME(santiago.mola): This is actually a bug, and ideally instrumentation
+          // for Dropwizard or Play should be fixed to retrieve the correct peer IP
+          // for network.client.ip tags.
+          if (endpoint == FORWARDED && useForwardedIpAsPeerInformation) {
+            expectedPeerIp = endpoint.body
           }
+          tag(peerHostTag, expectedPeerIp)
+          "$Tags.HTTP_CLIENT_IP" clientIp ?: expectedPeerIp
+          "$Tags.NETWORK_CLIENT_IP" expectedPeerIp
         } else {
+          // http.client_ip is inferred from forwarded headers; network.client.ip requires peerIp.
+          "$Tags.NETWORK_CLIENT_IP" null
           "$Tags.HTTP_CLIENT_IP" clientIp
         }
         "$Tags.HTTP_HOSTNAME" address.host
         "$Tags.HTTP_URL" "$expectedUrl"
         "$Tags.HTTP_METHOD" method
         "$Tags.HTTP_STATUS" expectedStatus
         "$Tags.HTTP_USER_AGENT" String
+        // The FORWARDED endpoint is hit by the "test forwarded request" feature
+        // with an `X-Forwarded-For: 1.2.3.4` header; FORWARDED.body is that
+        // same "1.2.3.4" string, which is what we expect to surface as the
+        // forwarded-IP tag when the framework extracts it.
         if (endpoint == FORWARDED && hasForwardedIP) {
           "$Tags.HTTP_FORWARDED_IP" endpoint.body
         }

@@ -74,6 +74,7 @@ class LagomTest extends InstrumentationSpecification {
             "$Tags.PEER_HOST_IPV4" '127.0.0.1'
             "$Tags.PEER_PORT" Integer
             "$Tags.HTTP_CLIENT_IP" '127.0.0.1'
+            "$Tags.NETWORK_CLIENT_IP" '127.0.0.1'
             defaultTags()
           }
         }
@@ -121,6 +122,7 @@ class LagomTest extends InstrumentationSpecification {
             "$Tags.PEER_HOST_IPV4" '127.0.0.1'
             "$Tags.PEER_PORT" Integer
             "$Tags.HTTP_CLIENT_IP" '127.0.0.1'
+            "$Tags.NETWORK_CLIENT_IP" '127.0.0.1'
             defaultTags()
           }
         }

@@ -75,6 +75,7 @@ class CxfContextPropagationTest extends InstrumentationSpecification {
             "$InstrumentationTags.SERVLET_PATH" "/test"
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             withCustomIntegrationName("jetty-server")
             defaultTags()
           }

@@ -73,6 +73,7 @@ class CxfContextPropagationTest extends InstrumentationSpecification {
             "servlet.path" { it == null || it == "/test" }
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             withCustomIntegrationName("jetty-server")
             defaultTags()
           }

@@ -122,6 +122,11 @@ class DropwizardTest extends HttpServerTest<DropwizardTestSupport> {
     return true
   }
 
+  @Override
+  boolean forwardedIpAsPeerInformation() {
+    true
+  }
+
   @Override
   boolean changesAll404s() {
     true

@@ -37,6 +37,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             defaultTags()
@@ -114,6 +115,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/getQuery.jsp"
             defaultTags()
@@ -187,6 +189,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/post.jsp"
             defaultTags()
@@ -256,6 +259,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 500
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             "error.type" { String tagExceptionType ->
@@ -345,6 +349,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/includes/includeHtml.jsp"
             defaultTags()
@@ -414,6 +419,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/includes/includeMulti.jsp"
             defaultTags()
@@ -537,6 +543,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 500
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$jspFileName"
             errorTags(JasperException, String)
@@ -602,6 +609,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$staticFile"
             defaultTags()

@@ -34,6 +34,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/$forwardFromFileName"
             defaultTags()
@@ -136,6 +137,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/forwards/forwardToHtml.jsp"
             defaultTags()
@@ -205,6 +207,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/forwards/forwardToIncludeMulti.jsp"
             defaultTags()
@@ -358,6 +361,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 200
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/forwards/forwardToJspForward.jsp"
             defaultTags()
@@ -483,6 +487,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 500
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/forwards/forwardToCompileError.jsp"
             errorTags(JasperException, String)
@@ -569,6 +574,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
             "$Tags.HTTP_STATUS" 404
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "servlet.context" "/$jspWebappContext"
             "servlet.path" "/forwards/forwardToNonExistent.jsp"
             defaultTags()

@@ -115,6 +115,7 @@ class MuleForkedTest extends WithHttpServer<MuleTestContainer> {
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.PEER_HOST_IPV4" "127.0.0.1"
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "$Tags.PEER_PORT" { true } // is this really the best way to ignore tags?
             defaultTags()
           }
@@ -174,6 +175,7 @@ class MuleForkedTest extends WithHttpServer<MuleTestContainer> {
             "$Tags.HTTP_USER_AGENT" String
             "$Tags.PEER_HOST_IPV4" "127.0.0.1"
             "$Tags.HTTP_CLIENT_IP" "127.0.0.1"
+            "$Tags.NETWORK_CLIENT_IP" "127.0.0.1"
             "$Tags.PEER_PORT" { Integer }
             defaultTags()
           }

@@ -42,9 +42,15 @@ class PlayServerTest extends HttpServerTest<TestServer> {
     true
   }
 
+  @Override
+  boolean forwardedIpAsPeerInformation() {
+    true
+  }
+
   @Override
   void handlerSpan(TraceAssert trace, ServerEndpoint endpoint = SUCCESS) {
     def expectedQueryTag = expectedQueryTag(endpoint)
+    def expectedClientIp = endpoint == FORWARDED ? endpoint.body : '127.0.0.1'
     trace.span {
       serviceName expectedServiceName()
       operationName "play.request"
@@ -54,8 +60,9 @@ class PlayServerTest extends HttpServerTest<TestServer> {
       tags {
         "$Tags.COMPONENT" PlayHttpServerDecorator.DECORATE.component()
         "$Tags.SPAN_KIND" Tags.SPAN_KIND_SERVER
-        "$Tags.PEER_HOST_IPV4" (endpoint == FORWARDED ? endpoint.body : "127.0.0.1")
-        "$Tags.HTTP_CLIENT_IP" (endpoint == FORWARDED ? endpoint.body : "127.0.0.1")
+        "$Tags.PEER_HOST_IPV4" expectedClientIp
+        "$Tags.HTTP_CLIENT_IP" expectedClientIp
+        "$Tags.NETWORK_CLIENT_IP" expectedClientIp
         "$Tags.HTTP_URL" String
         "$Tags.HTTP_HOSTNAME" address.host
         "$Tags.HTTP_METHOD" String

@@ -135,7 +135,8 @@ class AbstractPlayServerTest extends HttpServerTest<Server> {
         "$Tags.COMPONENT" PlayHttpServerDecorator.DECORATE.component()
         "$Tags.SPAN_KIND" Tags.SPAN_KIND_SERVER
         "$Tags.PEER_HOST_IPV4" '127.0.0.1'
-        "$Tags.HTTP_CLIENT_IP" (endpoint == FORWARDED ? endpoint.body : '127.0.0.1')
+        "$Tags.HTTP_CLIENT_IP" (endpoint == FORWARDED ? { it == endpoint.body || it == '127.0.0.1' } : '127.0.0.1')
+        "$Tags.NETWORK_CLIENT_IP" (endpoint == FORWARDED ? { it == endpoint.body || it == '127.0.0.1' } : '127.0.0.1')
         "$Tags.HTTP_URL" String
         "$Tags.HTTP_HOSTNAME" address.host
         "$Tags.HTTP_METHOD" String

@@ -89,6 +89,7 @@ class PlayScalaRoutesServerTest extends PlayServerTest {
   @Override
   void handlerSpan(TraceAssert trace, HttpServerTest.ServerEndpoint endpoint = SUCCESS) {
     def expectedQueryTag = expectedQueryTag(endpoint)
+    def expectedClientIp = endpoint == FORWARDED ? endpoint.body : '127.0.0.1'
     trace.span {
       serviceName expectedServiceName()
       operationName 'play.request'
@@ -98,8 +99,9 @@ class PlayScalaRoutesServerTest extends PlayServerTest {
       tags {
         "$Tags.COMPONENT" 'play-action'
         "$Tags.SPAN_KIND" Tags.SPAN_KIND_SERVER
-        "$Tags.PEER_HOST_IPV4" (endpoint == FORWARDED ? endpoint.body : '127.0.0.1')
-        "$Tags.HTTP_CLIENT_IP" (endpoint == FORWARDED ? endpoint.body : '127.0.0.1')
+        "$Tags.PEER_HOST_IPV4" expectedClientIp
+        "$Tags.HTTP_CLIENT_IP" expectedClientIp
+        "$Tags.NETWORK_CLIENT_IP" expectedClientIp
         "$Tags.HTTP_URL" String
         "$Tags.HTTP_HOSTNAME" address.host
         "$Tags.HTTP_METHOD" String