Tcpdump high CPU
-
Any ideas why tcpdump would be causing such a high cpu load?
I'm currently running build 2.0-RC1 (i386)
built on Wed Mar 2 03:30:11 EST 2011. We are running a lot of nmap scans from behind these firewalls so I'm thinking that pf logging is suspect here.last pid: 4449; load averages: 1.26, 1.22, 1.00 up 6+22:30:28 10:46:38 47 processes: 5 running, 42 sleeping CPU: 84.3% user, 4.1% nice, 11.2% system, 0.4% interrupt, 0.0% idle Mem: 243M Active, 23M Inact, 74M Wired, 1128K Cache, 53M Buf, 1650M Free Swap: 2048M Total, 2048M Free PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 26376 root 1 114 0 203M 200M RUN 22.2H 85.99% tcpdump 19877 root 1 44 0 5116K 3324K select 70:40 0.00% openvpn 2252 root 1 44 0 5116K 3324K select 47:18 0.00% openvpn 45631 root 1 44 0 6140K 4452K select 33:25 0.00% openvpn 57492 root 1 76 20 6728K 4644K piperd 17:58 0.00% sh 26646 root 1 44 0 3316K 924K piperd 10:06 0.00% logger 11520 root 1 44 0 5116K 3324K select 6:29 0.00% openvpn 34223 root 1 64 20 3316K 1340K select 3:04 0.00% apinger 26640 root 1 44 0 7612K 5664K kqread 1:21 0.00% lighttpd 10836 root 1 76 0 54708K 19548K accept 0:19 0.00% php 57488 root 1 76 0 54708K 19104K accept 0:14 0.00% php 14478 root 1 59 0 53684K 17472K accept 0:12 0.00% php 48273 root 1 56 0 54708K 18544K accept 0:12 0.00% php 45162 nobody 1 44 0 5552K 2692K select 0:10 0.00% dnsmasq 59997 root 1 44 0 3404K 1372K nanslp 0:04 0.00% cron 1480 root 1 44 0 3316K 1348K select 0:03 0.00% ntpd 4909 root 1 76 0 3316K 1036K nanslp 0:02 0.00% minicron
Any input is appreciated!
-
I ran into this issue once and was able to resolve it by unchecking "Log packets blocked by the default rule". This option is found under Status: System logs: Settings. You might try this just to see if it helps you isolate the issue.
-
I should also mention that Im logging every packet both blocked and permitted. This is not by choice..
-
If you aren't running tcpdump by hand or a packet capture from the GUI, that would be the system reading the pf log. So it would definitely be tied to trying to log every packet. (Seems a bit of overkill if you ask me, but to each their own…)
-
Extremely high rates of logging (as you see when running bunches of nmap scans and logging everything) are going to consume a lot of load with tcpdump. There are far more efficient ways to log all connections if you need to do so, NetFlow probably the best.
-
Is there an opensource alternative to netflow?
I'm logging all initial packets that create state. I haven't edited the pf config to log every single packet.. -
pfflowd package, softflowd. Google netflow site:doc.pfsense.org