Determining capture rates from log files in Security Analytics
Last Updated May 13, 2017
The file containing the recorded Capture rate is called
/var/log/csr-history/network_txt, or for past files
network_txt-YYYYMMDD.gz. There are many lines per interface and it requires some knowledge to read. What is needed to get a quick look is to have Linux parse through and summarize the statistics. The provided parsing commands will assist in bringing copious amounts of information down to the interesting details. If you don't have access to the CLI, you can locate the network_txt files in the Customer Service Report (CSR) downloadable from the Settings > System page in the GUI.
To get the Capture rate in megabytes, sorted with highest last run:
This pulls the lines beginning with bytes (bytes/second), removes those interfaces which have no traffic, and then displays column three in numerical order, largest last. This number is bytes per second. The numbers are duplicatd because the file displays an aggregate capture rate and then repeats the rate for the specific interface. The result can be searched in vi by taking one of the returned numeric values and searching for it. Then look a few lines above for the Date and Time of when it was recorded. You can also search down to locate the interface where the value was recorded.
This next command does much the same thing but instead of printing the exact capture rate string, it multiplies times 8 so that the result is in bits instead of bytes. It does not yield a number searchable in vi.