DEV.co
Open-Source Observability · otterize

network-mapper

Network Mapper is a zero-configuration Kubernetes traffic visualization tool that captures pod-to-pod, pod-to-internet, and AWS IAM traffic without requiring CNI or service mesh changes. It exports network maps as text, JSON, YAML, or visualizations to help teams understand cluster communication patterns.

Source: GitHub — github.com/otterize/network-mapper
672
GitHub stars
27
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryotterize/network-mapper
Ownerotterize
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars672
Forks27
Open issues6
Latest releasev3.0.19 (2025-06-10)
Last updated2025-06-10
Sourcehttps://github.com/otterize/network-mapper

What network-mapper is

Network Mapper deploys a DaemonSet-based sniffer per node and a centralized mapper component to capture DNS responses and active TCP connections, resolving traffic to Kubernetes service identities. It integrates with Istio for HTTP path-level metrics and Kafka watchers for topic-level access tracking, exporting ClientIntents resources compatible with the intents operator.

Quickstart

Get the network-mapper source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/otterize/network-mapper.gitcd network-mapper# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Zero-Config Traffic Discovery

Map existing cluster traffic without instrumenting applications or redeploying infrastructure. Ideal for legacy clusters where service mesh adoption isn't feasible.

Network Policy Automation

Export traffic maps as YAML ClientIntents to automatically generate restrictive network policies and Kafka ACLs via the intents operator.

Compliance and Access Audits

Visualize and document actual inter-service communication for security reviews, compliance audits, and least-privilege enforcement.

Implementation considerations

  • DaemonSet requires node-level privileged access to capture DNS and connection state; verify compatibility with pod security policies and audit requirements.
  • Service name resolution relies on Kubernetes resource hierarchy or explicit otterize/service-name labels; unlabeled pods may resolve to owner names (e.g., Deployment).
  • Telemetry is enabled by default and sends anonymous usage metrics; set OTTERIZE_TELEMETRY_ENABLED=false or helm flag --set global.telemetry.enabled=false to disable.
  • Istio watcher reports all HTTP traffic since sidecar startup, not per-query window; reset traffic history via Otterize CLI if snapshots are needed.
  • Kafka watcher requires Kafka authorizer logs at DEBUG level on stdout; absence of logs will result in incomplete Kafka traffic mapping.

When to avoid it — and what to weigh

  • Real-Time Deep Packet Inspection Required — Network Mapper captures DNS and connection metadata, not packet payloads. If payload-level visibility or DPI is required, consider alternatives.
  • Minimal Node-Level Permissions — Sniffer DaemonSet requires elevated node access to inspect connections and DNS. High-security clusters with strict pod security policies may face deployment challenges.
  • Transient or Bursty Traffic Patterns — Network Mapper relies on capturing DNS responses and active connections. Short-lived traffic bursts between startup and DNS query intervals may be missed.
  • Non-Kubernetes Workloads Only — Purpose-built for Kubernetes; not applicable to on-premises or non-containerized infrastructure.

License & commercial use

Apache License 2.0 (SPDX: Apache-2.0). This is a permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions.

Apache 2.0 permits commercial use without restriction. The open-source project itself is free; Otterize Cloud is a separate commercial offering. Review Otterize's commercial terms separately for hosted services.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Network Mapper operates at network layer without active protocol inspection. Sniffer DaemonSet requires privileged container access to read node connection tables and DNS traffic; ensure rbac/pod security policies are reviewed. No encryption or authentication data is inspected. Anonymous telemetry transmission occurs by default; disable if organization restricts data egress. No security audit, CVE history, or formal threat model provided in source data.

Alternatives to consider

Cilium Hubble

eBPF-based network visibility with service map and flow logs; requires Cilium CNI deployment and is tightly coupled to networking layer.

Istio (distributed tracing + telemetry)

Full service mesh with mTLS, traffic management, and distributed tracing; heavier operational overhead and requires sidecar injection on all pods.

Calico Enterprise / Commercial CNI solutions

Enterprise-grade network policy, microsegmentation, and threat prevention; requires CNI replacement and commercial licensing.

Software development agency

Build on network-mapper with DEV.co software developers

Try the Otterize Network Mapper quickstart—deploy via Helm and generate your first traffic map in 5 minutes. No code changes required.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

network-mapper FAQ

Does Network Mapper require changes to my applications or deployment manifests?
No. It is zero-config and works with existing workloads. Optional otterize/service-name labels improve service name resolution, but are not required.
Can it map traffic to external services or the Internet?
Yes. It captures pod-to-Internet traffic and AWS IAM traffic. DNS-based resolution is used to identify external endpoints where possible.
What is the performance overhead of the DaemonSet sniffer?
Not quantified in provided data. Lightweight deployment is claimed, but benchmark data and resource limits are not specified; requires testing in production-like environments.
Can I export the traffic map to enforce network policies automatically?
Yes. Export as YAML ClientIntents resources and deploy them using the Otterize intents operator to generate NetworkPolicy or Kafka ACLs.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If network-mapper is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Visualize Your Cluster Traffic in Minutes

Try the Otterize Network Mapper quickstart—deploy via Helm and generate your first traffic map in 5 minutes. No code changes required.