<ul><li>Netflix uses eBPF and TCP tracepoints to capture TCP flow logs at scale for network insights.</li><li>FlowExporter generates flow log records including IP addresses, ports, and timestamps, with around 5 million records per second.</li><li>Attributing IP addresses accurately to workload identities is crucial for making flow logs useful.</li><li>Initially, misattribution issues arose due to delays in IP address change events reaching FlowCollector.</li><li>FlowCollector's new attribution method involves correctly attributing local and remote IP addresses.</li><li>For container workloads, IPManAgent assists in assigning IP addresses to workload IDs.</li><li>Accurate attribution of IP addresses is achieved by maintaining time ranges of IP address ownership.</li><li>A broadcasting mechanism using Kafka helps in sharing IP address time ranges among FlowCollector nodes.</li><li>Cross-regional IP address attribution is facilitated by forwarding flows to nodes in the corresponding region.</li><li>Verification of the new attribution method was done by analyzing flow logs of a large service with known dependencies.</li></ul>

How Netflix Accurately Attributes eBPF Flow Logs

Discover more