Tcpdump high CPU



  • Any ideas why tcpdump would be causing such a high cpu load?
    I'm currently running build 2.0-RC1 (i386)
    built on Wed Mar 2 03:30:11 EST 2011. We are running a lot of nmap scans from behind these firewalls so I'm thinking that pf logging is suspect here.

    
    last pid:  4449;  load averages:  1.26,  1.22,  1.00    up 6+22:30:28  10:46:38
    47 processes:  5 running, 42 sleeping
    CPU: 84.3% user,  4.1% nice, 11.2% system,  0.4% interrupt,  0.0% idle
    Mem: 243M Active, 23M Inact, 74M Wired, 1128K Cache, 53M Buf, 1650M Free
    Swap: 2048M Total, 2048M Free
    
      PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
    26376 root        1 114    0   203M   200M RUN     22.2H 85.99% tcpdump
    19877 root        1  44    0  5116K  3324K select  70:40  0.00% openvpn
     2252 root        1  44    0  5116K  3324K select  47:18  0.00% openvpn
    45631 root        1  44    0  6140K  4452K select  33:25  0.00% openvpn
    57492 root        1  76   20  6728K  4644K piperd  17:58  0.00% sh
    26646 root        1  44    0  3316K   924K piperd  10:06  0.00% logger
    11520 root        1  44    0  5116K  3324K select   6:29  0.00% openvpn
    34223 root        1  64   20  3316K  1340K select   3:04  0.00% apinger
    26640 root        1  44    0  7612K  5664K kqread   1:21  0.00% lighttpd
    10836 root        1  76    0 54708K 19548K accept   0:19  0.00% php
    57488 root        1  76    0 54708K 19104K accept   0:14  0.00% php
    14478 root        1  59    0 53684K 17472K accept   0:12  0.00% php
    48273 root        1  56    0 54708K 18544K accept   0:12  0.00% php
    45162 nobody      1  44    0  5552K  2692K select   0:10  0.00% dnsmasq
    59997 root        1  44    0  3404K  1372K nanslp   0:04  0.00% cron
     1480 root        1  44    0  3316K  1348K select   0:03  0.00% ntpd
     4909 root        1  76    0  3316K  1036K nanslp   0:02  0.00% minicron
    
    

    Any input is appreciated!



  • I ran into this issue once and was able to resolve it by unchecking "Log packets blocked by the default rule".  This option is found under Status: System logs: Settings.  You might try this just to see if it helps you isolate the issue.



  • I should also mention that Im logging every packet both blocked and permitted. This is not by choice..


  • Rebel Alliance Developer Netgate

    If you aren't running tcpdump by hand or a packet capture from the GUI, that would be the system reading the pf log. So it would definitely be tied to trying to log every packet. (Seems a bit of overkill if you ask me, but to each their own…)



  • Extremely high rates of logging (as you see when running bunches of nmap scans and logging everything) are going to consume a lot of load with tcpdump. There are far more efficient ways to log all connections if you need to do so, NetFlow probably the best.



  • Is there an opensource alternative to netflow?
    I'm logging all initial packets that create state. I haven't edited the pf config to log every single packet..



  • pfflowd package, softflowd. Google netflow site:doc.pfsense.org


Log in to reply