Determining capture rates from log files in Security Analytics
Article ID: 169088
Updated On:
Products
Issue/Introduction
Resolution
The system records the capture rate every five minutes in the network_txt file. To get the Capture rate in megabytes, sorted with highest last run:
grep ^bytes network_txt | grep -vw 0| awk {'print $3}' | sort -n
Sample output from this command will look like the following:
3,852,644
3,852,644
4,150,253
4,150,253
4,447,690
4,447,690
4,652,156
4,652,156
5,009,763
This pulls the lines beginning with bytes (bytes/second), removes those interfaces which have no traffic, and then displays column three in numerical order, largest last. This number is bytes per second. The numbers are duplicatd because the file displays an aggregate capture rate and then repeats the rate for the specific interface. The result can be searched in vi by taking one of the returned numeric values and searching for it. Then look a few lines above for the Date and Time of when it was recorded. You can also search down to locate the interface where the value was recorded.
This next command does much the same thing but instead of printing the exact capture rate string, it multiplies times 8 so that the result is in bits instead of bytes. It does not yield a number searchable in vi.
grep ^bytes network_txt | grep -vw 0| awk '{sum = $3 * 8; print sum}' | sort -n
Sample output will look like the following:
5528
5528
5528
6272
6272
7288
7288
To get the statistics from previous logs, change the first grep to zgrep and the filename being parsed to include the earlier messages files, like messages.1.gz or messages.2.gz.
With the more recent releases, the system records the capture rate every minute. This allows the system to see the capture rates with better granularity. The command to run as root is:
grep eGBpd messages | sort -t: -k 11,11n | tail -25 |awk -F: '{print $NF*1024*1024*1024*8/86400/1000/1000/1000}'
Feedback
