Skip to content
Visit Analytics on GitHub
Set theme to dark (⇧+D)

NAv2 node reference

Main nodes

Main nodes provide deep packet-level information about traffic and attacks for Spectrum customers and Magic Transit customers.

Use the main node to query traffic and attacks at a high level, as seen at the Cloudflare edge:

ProductMain node
Magic TransitmagicTransitNetworkAnalyticsAdaptiveGroups

To query more specific details about attacks, use the attack nodes.

Each row represents a packet sample. The sample rate of main nodes is 1/10,000 packets.

If you are using both Magic Transit and Spectrum for IP addresses that overlap, you can use only the Magic Transit node.

Attack nodes


Provides information about DDoS attacks detected and mitigated by Cloudflare's main DDoS protection system, the denial of service daemon (dosd). This node includes attack metadata such as:

  • attackStartDateTime
  • attackEndDatetime
  • attackType
  • attackSourceIp

Each row represents an attack event. Each attack has a unique ID.

The sample rate is 1/10,000 packets.


Complements the information in the dosdAttackAnalyticsAdaptiveGroups node. Provides deep packet-level information about DDoS attack packets mitigated by dosd, including fields such as:

  • ipProtocol
  • ipv4Checksum
  • ipv4Options
  • tcpSequenceNumber
  • tcpChecksum
  • icmpCode

Each row represents a packet sample. The sample rate is 1/10,000 packets.


This node is only available to Magic Transit customers. Provides metadata about out-of-state TCP DDoS attacks mitigated by flowtrackd, Cloudflare’s Advanced TCP Protection system.

flowtrackd does not use the following ID fields: attack ID, rule ID, and ruleset ID.

The sample rate is dynamic and based on the volume of packets, ranging from 1/100 to 1/10,000 packets.


This node is only available to Magic Transit customers. Provides information about packets that were matched against customer-configured Magic Firewall rules.

Each row represents a packet sample that matches a Magic Firewall rule.

Magic Firewall does not use attack IDs, only rule IDs and ruleset IDs.

The sample rate is 1/100 packets.