Document Dynamic Tests for NetFlow setup (#37677)

* empty

* Document NetFlow Dynamic Tests setup

* Avoid unrelated Network Path link label churn

* Normalize NetFlow Dynamic Tests wording

* Document NetFlow self-source skip behavior

* Update content/en/network_monitoring/network_path/glossary.md

Co-authored-by: jeff-morgan-dd <jeff.morgan@datadoghq.com>

---------

Co-authored-by: jeff-morgan-dd <jeff.morgan@datadoghq.com>

Author: AlexandreYang

content/en/network_monitoring/netflow/_index.md

@@ -6,6 +6,9 @@ further_reading:
 - link: "/network_monitoring/devices/profiles"
   tag: "Documentation"
   text: "Using Profiles with Network Device Monitoring"
+- link: "/network_monitoring/network_path/setup/#dynamic-tests-for-netflow-experimental"
+  tag: "Documentation"
+  text: "Set up Dynamic Tests for NetFlow"
 - link: "https://www.datadoghq.com/blog/monitor-netflow-with-datadog/"
   tag: "Blog"
   text: "Monitor NetFlow traffic data with Datadog"
@@ -125,6 +128,12 @@ You can visualize the flows in NetFlow Monitoring by clicking on the {{< ui >}}F
 
 {{< img src="network_device_monitoring/netflow/flows.png" alt="Hover over a flow aggregated from a device emitting netflow to access related network connections" width="100%" >}}
 
+## Network Path for NetFlow
+
+Dynamic Tests for NetFlow can automatically run Network Path tests from the Agent that collects NetFlow traffic to destination IPs observed in NetFlow records. Use Dynamic Tests for NetFlow to add hop-by-hop route and latency context to your NetFlow destinations.
+
+Dynamic Tests for NetFlow are experimental and require Agent `v7.81+`. To set up Dynamic Tests for NetFlow, see [Network Path setup][11].
+
 ## NetFlow monitor
 
 Click on the {{< ui >}}Create Monitor{{< /ui >}} icon from any of the views to create a [NetFlow monitor][6]. When creating the monitor, consider the following fields with respect to the source IP or destination IP from the perspective of the device. These fields provide insights into network traffic patterns and help with optimizing performance and security.
@@ -371,3 +380,4 @@ Use the `netstat -s` command to see if there are any dropped UDP packets:
 [8]: https://github.com/DataDog/datadog-agent/blob/f6ae461a7d22aaf398de5a94d9330694d69560d6/pkg/config/config_template.yaml#L4203-L4275
 [9]: /network_monitoring/devices/troubleshooting#traps-or-flows-not-being-received-at-all
 [10]: https://app.datadoghq.com/devices/settings/enrichment/ip
+[11]: /network_monitoring/network_path/setup/#dynamic-tests-for-netflow-experimental

content/en/network_monitoring/network_path/_index.md

@@ -33,10 +33,11 @@ The following diagram depicts the typical flow of a network path from a source (
 
 ## Setup methods
 
-Network Path supports two Agent-based collection methods. You can use either method on its own or both together:
+Network Path supports multiple Agent-based collection methods. You can use one method on its own or combine multiple methods:
 
 - **[Scheduled tests][6]**: Monitor specific network paths by defining source-destination pairs in the Agent configuration file. Use scheduled tests to continuously monitor a known set of endpoints, such as critical APIs or partner services.
 - **[Dynamic tests][7]**: Automatically discover and monitor network paths based on actual network traffic observed by [Cloud Network Monitoring][8]. Use dynamic tests for broad visibility without manually listing every destination.
+- **[Dynamic Tests for NetFlow][10]**: Automatically run Network Path tests from the Agent host to destination IPs observed in [NetFlow Monitoring][11]. Use Dynamic Tests for NetFlow to add hop-by-hop route visibility to NetFlow traffic without manually configuring individual destinations.
 
 To create Network Path tests in Synthetic Monitoring instead, see [Network Path Testing in Synthetic Monitoring][9].
 
@@ -62,3 +63,5 @@ Use the following views and tools to set up Network Path and investigate network
 [7]: /network_monitoring/network_path/setup/#dynamic-tests
 [8]: /network_monitoring/cloud_network_monitoring/
 [9]: /synthetics/network_path_tests/
+[10]: /network_monitoring/network_path/setup/#dynamic-tests-for-netflow-experimental
+[11]: /network_monitoring/netflow/

content/en/network_monitoring/network_path/glossary.md

@@ -11,12 +11,14 @@ Network Path provides hop-by-hop visibility into the route between a source and
 | Concept                                 | Description                                                                                                                                                                                      |
 | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | **[Network Path][6]**                        | Network Path provides hop-by-hop visibility into the route between a source and a destination, so you can identify where latency, packet loss, or routing changes occur. |
+| **[Dynamic Tests for NetFlow][8]**          | An experimental Network Path collection method that runs Network Path tests from the Agent host to destination IPs observed in NetFlow traffic. |
+| **Origin**                                  | The source that triggered a Network Path test, such as network traffic, NetFlow, a scheduled Agent configuration, or Synthetic Monitoring. Use the `origin` facet to filter paths by collection method. |
 | **Autonomous System (AS / ASN)**        | A collection of IP routing prefixes managed by a single network operator. Network Path groups hop by Autonomous System (AS) or Autonomous System Number (ASN) to show routing domains along the path.      
 | **[Path View][7]**                           | The Network Path visualization that displays each hop, grouped by Autonomous System Number (ASN), region, or network, along with probe status and hop metrics.                                                             |
 | **Hop**                                 | A network node along a route between source and destination, identified by IP address and associated metadata (ASN, cloud region, provider).                                                                  |                                                      |
-| **Source**                              | The starting point of a Network Path probe, typically an Agent-monitored host or container running the Datadog network monitoring tracer.                                                                     |
+| **Source**                              | The starting point of a Network Path probe, such as an Agent-monitored host, container, Synthetic location, or the Agent that collects NetFlow traffic.                                                                     |
 | **Destination**                         | The endpoint that the Network Path probe is targeting, such as a service, public endpoint, or domain.                                                                                                         |
-| **Traceroute** | The mechanism that Network Path uses to determine intermediate hops and latency. CNM sends controlled probes, similar to traceroute, to discover each hop on the route.                                                         |
+| **Traceroute** | The mechanism that Network Path uses to determine intermediate hops and latency. Network Path sends controlled probes, similar to traceroute, to discover each hop on the route.                                                         |
 | **Latency per hop**                     | The round-trip time between the probe source and each hop. This helps identify slow or congested nodes.                                                                                                            |
 | **Packet loss per hop**                 | The percentage of probe packets dropped before reaching or returning from a hop, useful for diagnosing reliability issues.                                                                                    |
 
@@ -41,4 +43,5 @@ Network Path provides hop-by-hop visibility into the route between a source and
 
 
 [6]: /network_monitoring/network_path/
-[7]: /network_monitoring/network_path/path_view
+[7]: /network_monitoring/network_path/path_view
+[8]: /network_monitoring/network_path/setup/#dynamic-tests-for-netflow-experimental

content/en/network_monitoring/network_path/setup.md

@@ -25,12 +25,13 @@ Setting up Network Path involves configuring your environment to monitor and tra
 
 <div class="alert alert-info">This page covers Network Path setup for Agent-based configuration in Network Monitoring. To create Network Path tests in Synthetic Monitoring, see <a href="/synthetics/network_path_tests/">Network Path Testing in Synthetic Monitoring</a>.</div>
 
-Datadog provides two Agent-based collection methods. You can use either method on its own or combine both:
+Datadog provides three Agent-based collection methods. You can use one method on its own or combine multiple methods:
 
 | Method | When to use |
 |--------|-------------|
 | **[Scheduled&nbsp;tests](#scheduled-tests)** | Monitor specific source-destination pairs that you define in the Agent configuration. Best for tracking a known set of endpoints, such as critical APIs or partner services. |
 | **[Dynamic&nbsp;tests](#dynamic-tests)** | Automatically discover and monitor paths based on traffic observed by [Cloud Network Monitoring][1]. Best for broad visibility without manually listing every destination. |
+| **[Dynamic&nbsp;Tests&nbsp;for&nbsp;NetFlow](#dynamic-tests-for-netflow-experimental)** | Automatically run Network Path tests from the Agent host to destination IPs observed in [NetFlow Monitoring][6]. Best for adding hop-by-hop route visibility to NetFlow traffic without manually configuring individual destinations. |
 
 ### Scheduled tests
 
@@ -173,7 +174,7 @@ Agent `v7.72+` is required.
          - "tag_key2:tag_value2"
     ```
 
-  3. Restart the Agent after making these configuration changes to start seeing network paths.
+3. Restart the Agent after making these configuration changes to start seeing network paths.
 
 {{% /tab %}}
 {{% tab "Helm" %}}
@@ -230,6 +231,7 @@ Datadog Autodiscovery allows you to enable Network Path on a per-service basis t
    datadog:
      traceroute:
        enabled: true
+   ```
 
 2. After the module is enabled, Datadog automatically detects Network Path annotations added to your Kubernetes pod. For more information, see [Kubernetes and Integrations][2].
 
@@ -501,20 +503,86 @@ datadog:
 {{% /tab %}}
 {{< /tabs >}}
 
-#### Filter syntax
+### Dynamic Tests for NetFlow (Experimental)
+
+<div class="alert alert-info">Dynamic Tests for NetFlow are experimental and require Agent <code>v7.81+</code>. To enable this feature, contact Datadog Support or your account team.</div>
+
+Configure Dynamic Tests for NetFlow to run Network Path tests from the Agent host to destination IPs observed in NetFlow records. Dynamic Tests for NetFlow do not require [Cloud Network Monitoring][1] or `network_path.connections_monitoring.enabled`.
+
+Dynamic Tests for NetFlow run from the Datadog Agent that collects NetFlow traffic. They do not run from the NetFlow exporter, router, or original flow source. Deploy the Agent close enough to the observed flow sources for traceroutes from that Agent to represent the paths you want to investigate.
+
+**Prerequisites**:
+
+- [NetFlow Monitoring][6] must be configured and receiving flows.
+- Agent `v7.81+` is required.
+
+{{< tabs >}}
+{{% tab "Linux" %}}
+
+1. Enable the `system-probe` traceroute module in `/etc/datadog-agent/system-probe.yaml` by adding the following:
+
+   ```yaml
+   traceroute:
+     enabled: true
+   ```
+
+2. Enable Dynamic Tests for NetFlow in `/etc/datadog-agent/datadog.yaml`:
+
+   ```yaml
+   network_path:
+     netflow_monitoring:
+       enabled: true
+     collector:
+       monitor_ip_without_domain: true
+   ```
+
+   `monitor_ip_without_domain: true` is required because Dynamic Tests for NetFlow target observed destination IP addresses and the Network Path collector skips IP-only targets by default.
+
+3. Restart the Agent after making these configuration changes.
+
+{{% /tab %}}
+{{% tab "Windows" %}}
+
+1. Enable the `system-probe` traceroute module in `%ProgramData%\Datadog\system-probe.yaml` by adding the following:
+
+   ```yaml
+   traceroute:
+     enabled: true
+   ```
+
+2. Enable Dynamic Tests for NetFlow in `%ProgramData%\Datadog\datadog.yaml`:
+
+   ```yaml
+   network_path:
+     netflow_monitoring:
+       enabled: true
+     collector:
+       monitor_ip_without_domain: true
+   ```
+
+   `monitor_ip_without_domain: true` is required because Dynamic Tests for NetFlow target observed destination IP addresses and the Network Path collector skips IP-only targets by default.
+
+3. Restart the Agent after making these configuration changes.
+
+{{% /tab %}}
+{{< /tabs >}}
+
+After the Agent reports paths, open the [Network Path][4] UI and filter for `origin:netflow` to view paths generated from NetFlow traffic.
+
+### Filter syntax
 
 Configure filters to include or exclude domains and IPs, allowing you to:
 
 - Reduce monitoring overhead for internal networks
 - Focus on external traffic patterns
 - Exclude known infrastructure ranges that don't require monitoring
 
+The same `network_path.collector.filters` list applies to dynamic tests and Dynamic Tests for NetFlow. For Dynamic Tests for NetFlow, use `match_ip` filters because Dynamic Tests for NetFlow target observed destination IP addresses.
+
 To include or exclude specific domains or IP ranges from dynamic tests, add the following to your `/etc/datadog-agent/datadog.yaml` file:
 
 ```yaml
 network_path:
-  connections_monitoring:
-    enabled: true
   collector:
     filters:
       # exclude single domain
@@ -596,8 +664,23 @@ If no data appears in the [Network Path][4] UI, the feature may not be fully ena
 
 2. At least one Network Path feature must be active, such as:
 
-   - [Individual paths](#monitor-individual-paths) configured through the `conf.d/network_path.d` file.
-   - Experimental [network traffic paths](#network-traffic-paths-experimental) configured by enabling both `network_path.connections_monitoring` and [Cloud Network Monitoring][1](CNM).
+   - [Scheduled tests](#scheduled-tests) configured through the `conf.d/network_path.d` file.
+   - [Dynamic tests](#dynamic-tests) configured by enabling both `network_path.connections_monitoring.enabled` and [Cloud Network Monitoring][1].
+   - [Dynamic Tests for NetFlow](#dynamic-tests-for-netflow-experimental) configured by enabling `network_path.netflow_monitoring.enabled` and [NetFlow Monitoring][6].
+
+### No Dynamic Tests for NetFlow data in the UI
+
+If no paths with `origin:netflow` appear in the [Network Path][4] UI, verify the following:
+
+1. The Agent is version `7.81+`.
+2. [NetFlow Monitoring][6] is enabled and receiving flows.
+3. The traceroute module is enabled in `system-probe.yaml`.
+4. `network_path.netflow_monitoring.enabled` and `network_path.collector.monitor_ip_without_domain` are set to `true` in `datadog.yaml`.
+5. Your `network_path.collector.filters` configuration does not exclude the destination IPs you expect to monitor.
+
+Dynamic Tests for NetFlow automatically skip NetFlow records whose source IP is assigned to the Agent host before destination filters are evaluated. This prevents self-scheduling loops and is expected behavior. For NAT or alias cases where Agent-sourced traffic appears from another source IP, use `network_path.collector.source_excludes` to exclude those source IPs.
+
+Then filter the Network Path UI for `origin:netflow`.
 
 ### Error: status code: 404
 
@@ -620,7 +703,5 @@ If you encounter an error like the following:
 [3]: /help
 [4]: https://app.datadoghq.com/network/path
 [5]: https://github.com/DataDog/datadog-agent/blob/main/cmd/agent/dist/conf.d/network_path.d/conf.yaml.example
+[6]: /network_monitoring/netflow/
 [15]: /synthetics/network_path_tests/
-
-
-