diff --git a/probe/docker/reporter.go b/probe/docker/reporter.go
index 55bdbb082e..8dbb61a392 100644
--- a/probe/docker/reporter.go
+++ b/probe/docker/reporter.go
@@ -17,6 +17,7 @@ const (
 	ImageName         = "docker_image_name"
 	ImageLabelPrefix  = "docker_image_label_"
 	OverlayPeerPrefix = "docker_peer_"
+	IsInHostNetwork   = "docker_is_in_host_network"
 )
 
 // Exposed for testing
@@ -191,21 +192,21 @@ func (r *Reporter) containerTopology(localAddrs []net.IP) report.Topology {
 				Add(ContainerIPsWithScopes, report.MakeStringSet(hostIPsWithScopes...))
 		}
 
-		var networkInfo func(prefix string) report.Sets
-		networkInfo = func(prefix string) report.Sets {
+		var networkInfo func(prefix string) (report.Sets, bool)
+		networkInfo = func(prefix string) (ips report.Sets, isInHostNamespace bool) {
 			container, ok := r.registry.GetContainerByPrefix(prefix)
 			if !ok {
-				return report.EmptySets
+				return report.EmptySets, false
 			}
 
 			networkMode, ok := container.NetworkMode()
 			if ok && strings.HasPrefix(networkMode, "container:") {
 				return networkInfo(networkMode[10:])
 			} else if ok && networkMode == NetworkModeHost {
-				return hostNetworkInfo
+				return hostNetworkInfo, true
 			}
 
-			return container.NetworkInfo(localAddrs)
+			return container.NetworkInfo(localAddrs), false
 		}
 
 		for _, node := range nodes {
@@ -213,8 +214,17 @@ func (r *Reporter) containerTopology(localAddrs []net.IP) report.Topology {
 			if !ok {
 				continue
 			}
-			networkInfo := networkInfo(id)
-			result.AddNode(node.WithSets(networkInfo))
+			networkInfo, isInHostNamespace := networkInfo(id)
+			node = node.WithSets(networkInfo)
+			// Indicate whether the container is in the host network
+			// The container's NetworkMode is not enough due to
+			// delegation (e.g. NetworkMode="container:foo" where
+			// foo is a container in the host networking namespace)
+			if isInHostNamespace {
+				node = node.WithLatests(map[string]string{IsInHostNetwork: "true"})
+			}
+			result.AddNode(node)
+
 		}
 	}
 
diff --git a/render/container.go b/render/container.go
index 5ec6ccbe29..6b48a758e0 100644
--- a/render/container.go
+++ b/render/container.go
@@ -249,7 +249,11 @@ var portMappingMatch = regexp.MustCompile(`([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.
 func MapContainer2IP(m report.Node) []string {
 	// if this container doesn't make connections, we can ignore it
 	_, doesntMakeConnections := m.Latest.Lookup(report.DoesNotMakeConnections)
-	if doesntMakeConnections {
+	// if this container belongs to the host's networking namespace
+	// we cannot use its IP to attribute connections
+	// (they could come from any other process on the host or DNAT-ed IPs)
+	_, isInHostNetwork := m.Latest.Lookup(docker.IsInHostNetwork)
+	if doesntMakeConnections || isInHostNetwork {
 		return nil
 	}