network-mapper
Network Mapper is a zero-configuration Kubernetes traffic visualization tool that captures pod-to-pod, pod-to-internet, and AWS IAM traffic without requiring CNI or service mesh changes. It exports network maps as text, JSON, YAML, or visualizations to help teams understand cluster communication patterns.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | otterize/network-mapper |
| Owner | otterize |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 672 |
| Forks | 27 |
| Open issues | 6 |
| Latest release | v3.0.19 (2025-06-10) |
| Last updated | 2025-06-10 |
| Source | https://github.com/otterize/network-mapper |
What network-mapper is
Network Mapper deploys a DaemonSet-based sniffer per node and a centralized mapper component to capture DNS responses and active TCP connections, resolving traffic to Kubernetes service identities. It integrates with Istio for HTTP path-level metrics and Kafka watchers for topic-level access tracking, exporting ClientIntents resources compatible with the intents operator.
Get the network-mapper source
Clone the repository and explore it locally.
git clone https://github.com/otterize/network-mapper.gitcd network-mapper# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- DaemonSet requires node-level privileged access to capture DNS and connection state; verify compatibility with pod security policies and audit requirements.
- Service name resolution relies on Kubernetes resource hierarchy or explicit otterize/service-name labels; unlabeled pods may resolve to owner names (e.g., Deployment).
- Telemetry is enabled by default and sends anonymous usage metrics; set OTTERIZE_TELEMETRY_ENABLED=false or helm flag --set global.telemetry.enabled=false to disable.
- Istio watcher reports all HTTP traffic since sidecar startup, not per-query window; reset traffic history via Otterize CLI if snapshots are needed.
- Kafka watcher requires Kafka authorizer logs at DEBUG level on stdout; absence of logs will result in incomplete Kafka traffic mapping.
When to avoid it — and what to weigh
- Real-Time Deep Packet Inspection Required — Network Mapper captures DNS and connection metadata, not packet payloads. If payload-level visibility or DPI is required, consider alternatives.
- Minimal Node-Level Permissions — Sniffer DaemonSet requires elevated node access to inspect connections and DNS. High-security clusters with strict pod security policies may face deployment challenges.
- Transient or Bursty Traffic Patterns — Network Mapper relies on capturing DNS responses and active connections. Short-lived traffic bursts between startup and DNS query intervals may be missed.
- Non-Kubernetes Workloads Only — Purpose-built for Kubernetes; not applicable to on-premises or non-containerized infrastructure.
License & commercial use
Apache License 2.0 (SPDX: Apache-2.0). This is a permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions.
Apache 2.0 permits commercial use without restriction. The open-source project itself is free; Otterize Cloud is a separate commercial offering. Review Otterize's commercial terms separately for hosted services.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Network Mapper operates at network layer without active protocol inspection. Sniffer DaemonSet requires privileged container access to read node connection tables and DNS traffic; ensure rbac/pod security policies are reviewed. No encryption or authentication data is inspected. Anonymous telemetry transmission occurs by default; disable if organization restricts data egress. No security audit, CVE history, or formal threat model provided in source data.
Alternatives to consider
Cilium Hubble
eBPF-based network visibility with service map and flow logs; requires Cilium CNI deployment and is tightly coupled to networking layer.
Istio (distributed tracing + telemetry)
Full service mesh with mTLS, traffic management, and distributed tracing; heavier operational overhead and requires sidecar injection on all pods.
Calico Enterprise / Commercial CNI solutions
Enterprise-grade network policy, microsegmentation, and threat prevention; requires CNI replacement and commercial licensing.
Build on network-mapper with DEV.co software developers
Try the Otterize Network Mapper quickstart—deploy via Helm and generate your first traffic map in 5 minutes. No code changes required.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
network-mapper FAQ
Does Network Mapper require changes to my applications or deployment manifests?
Can it map traffic to external services or the Internet?
What is the performance overhead of the DaemonSet sniffer?
Can I export the traffic map to enforce network policies automatically?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If network-mapper is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.
Visualize Your Cluster Traffic in Minutes
Try the Otterize Network Mapper quickstart—deploy via Helm and generate your first traffic map in 5 minutes. No code changes required.