Network Monitoring using SAR

In this blog we will have a look at how to use SAR (System Activity Report) to monitor the network activity.

Installing SAR

Simple steps to install and configure sar (sysstat) on Ubuntu/Debian servers

Monitoring network interface statistics

command: sar -n DEV

The report contains the following

1. IFACE: Name of the network interface for which statistics are reported.
2. rxpck/s: packet receiving rate (unit: packets/second)
3. txpck/s: packet transmitting rate (unit: packets/second)
4. rxkB/s: data receiving rate (unit: Kbytes/second)
5. txkB/s: data transmitting rate (unit: Kbytes/second)
6. rxcmp/s: compressed packets receiving rate (unit: Kbytes/second)
7. txcmp/s: compressed packets transmitting rate (unit: Kbytes/second)
8. rxmcst/s: multicast packets receiving rate (unit: Kbytes/second)

The following report shows the SAR report while running a performance test with 50 concurrent uses (note: the tests started around 5.29 AM)

The SAR report for the same performance test with 500 concurrent users is shown below (note: performance test started around 6.30 AM)

Note that there is a significant increase in the data transfer rates

Monitoring network interface errors

command: sar -n EDEV

1. IFACE : Name of the network interface for which statistics are reported.
2. rxerr/s: Total number of bad packets received per second.
3. txerr/s: Total number of errors that happened per second while transmitting packets.
4. coll/s: Number of collisions that happened per second while transmitting packets.
5. rxdrop/s: Number of received packets dropped per second because of a lack of space in linux buffers.
6. txdrop/s: Number of transmitted packets dropped per second because of a lack of space in linux buffers.
7. txcarr/s: Number of carrier-errors that happened per second while transmitting packets.
8. rxfram/s: Number of frame alignment errors that happened per second on received packets.
9. rxfifo/s: Number of FIFO overrun errors that happened per second on received packets.
10. txfifo/s: Number of FIFO overrun errors that happened per second on transmitted packets.

See below for a sample report.

Monitoring socket usage

command: sar -n SOCK

The report contains the following:

totsck : Total number of sockets used by the system.

tcpsck: Number of TCP sockets currently in use.

udpsck: Number of UDP sockets currently in use.

rawsck: Number of RAW sockets currently in use.

ip-frag: Number of IP fragments currently in use.

tcp-tw: Number of TCP sockets in TIME_WAIT state.

The following SAR report shows the socket statistics while running a performance test. Note that the test started 6.39 am

[1] https://linux.die.net/man/1/sar