SYSTEM Cited by 1 source

sar (sysstat)

What it is

sar — System Activity Reporter — is the general-purpose Linux counter-dump tool in the sysstat package. It has two modes that matter in production:

• Live mode: sar -n DEV 1 — interval sampling of network interface counters (or CPU, memory, swap, disk — pick a sub-command). Functionally similar to vmstat / iostat / mpstat but with a common CLI and many more counter groups.
• Archive mode: sar (no args) reads pre-collected data recorded by the companion daemon sadc into /var/log/sa/saNN. Gives historical CPU / memory / I/O / network data going back days to weeks — invaluable when investigating an incident that already ended.

Key sub-commands used in the Netflix checklist

• sar -n DEV 1 — per-interface bytes/sec + packets/sec + errors.
• sar -n TCP,ETCP 1 — TCP connection counters + extended TCP error counters.

sar -n DEV 1 — interface throughput

12:16:49 AM   IFACE   rxpck/s   txpck/s    rxkB/s    txkB/s   ...   %ifutil
12:16:49 AM    eth0  19763.00   5101.00  21999.10    482.56   ...      0.00

Use it to:

• Measure NIC throughput — rxkB/s + txkB/s vs link capacity. Netflix example: 22 MB/s eth0 receive ≈ 176 Mbit/s on a 1 Gbit NIC, i.e. well under cap.
• Check for packet-rate saturation — rxpck/s + txpck/s against the NIC's pps ceiling (not bytes ceiling; these are different limits and small-packet-heavy workloads hit pps first).
• %ifutil is available on newer sar versions but "hard to get right, and seems to not be working in this example (0.00)" — treat with caution; cross-check with Brendan Gregg's nicstat.

sar -n TCP,ETCP 1 — TCP signals

12:17:20 AM  active/s passive/s    iseg/s    oseg/s
12:17:20 AM      1.00      0.00  10233.00  18846.00

12:17:20 AM  atmptf/s  estres/s retrans/s isegerr/s   orsts/s
12:17:20 AM      0.00      0.00      0.00      0.00      0.00

• active/s — locally-initiated TCP connections (via connect()). Think downstream calls from this host.
• passive/s — remotely-initiated TCP connections (via accept()). Think inbound load.
• retrans/s — TCP retransmits. A joint network-problem + server-overload signal. Non-zero retransmits are always worth investigating; interpretation is shared-cause.
• isegerr/s / orsts/s — inbound segment errors and outbound resets.

Archive mode is what makes sar special

sadc (the data collector) is run every 10 minutes by cron (/etc/cron.d/sysstat on most distributions), capturing ~200 counters into binary-format day-files. Running sar with no args the next day, or sar -f /var/log/sa/sa15, reads that history. For an incident that ended before you logged in, sar is frequently the only source of ground truth.

Seen in

• sources/2025-07-29-netflix-linux-performance-analysis-in-60-seconds — canonical reference. Commands #8 (sar -n DEV 1) and #9 (sar -n TCP,ETCP 1) in the 60-second checklist. Netflix uses sar -n DEV as an alternative to Gregg's nicstat, and sar -n TCP,ETCP for the per-second TCP connection and retransmit signal.

Related

• systems/sysstat-package · systems/vmstat · systems/iostat
• patterns/sixty-second-performance-checklist