Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tcpdump high CPU

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    7 Posts 4 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phospher
      last edited by

      Any ideas why tcpdump would be causing such a high cpu load?
      I'm currently running build 2.0-RC1 (i386)
      built on Wed Mar 2 03:30:11 EST 2011. We are running a lot of nmap scans from behind these firewalls so I'm thinking that pf logging is suspect here.

      
last pid:  4449;  load averages:  1.26,  1.22,  1.00    up 6+22:30:28  10:46:38
47 processes:  5 running, 42 sleeping
CPU: 84.3% user,  4.1% nice, 11.2% system,  0.4% interrupt,  0.0% idle
Mem: 243M Active, 23M Inact, 74M Wired, 1128K Cache, 53M Buf, 1650M Free
Swap: 2048M Total, 2048M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
26376 root        1 114    0   203M   200M RUN     22.2H 85.99% tcpdump
19877 root        1  44    0  5116K  3324K select  70:40  0.00% openvpn
 2252 root        1  44    0  5116K  3324K select  47:18  0.00% openvpn
45631 root        1  44    0  6140K  4452K select  33:25  0.00% openvpn
57492 root        1  76   20  6728K  4644K piperd  17:58  0.00% sh
26646 root        1  44    0  3316K   924K piperd  10:06  0.00% logger
11520 root        1  44    0  5116K  3324K select   6:29  0.00% openvpn
34223 root        1  64   20  3316K  1340K select   3:04  0.00% apinger
26640 root        1  44    0  7612K  5664K kqread   1:21  0.00% lighttpd
10836 root        1  76    0 54708K 19548K accept   0:19  0.00% php
57488 root        1  76    0 54708K 19104K accept   0:14  0.00% php
14478 root        1  59    0 53684K 17472K accept   0:12  0.00% php
48273 root        1  56    0 54708K 18544K accept   0:12  0.00% php
45162 nobody      1  44    0  5552K  2692K select   0:10  0.00% dnsmasq
59997 root        1  44    0  3404K  1372K nanslp   0:04  0.00% cron
 1480 root        1  44    0  3316K  1348K select   0:03  0.00% ntpd
 4909 root        1  76    0  3316K  1036K nanslp   0:02  0.00% minicron

      Any input is appreciated!

      1 Reply Last reply Reply Quote 0
      • S
        skear
        last edited by

        I ran into this issue once and was able to resolve it by unchecking "Log packets blocked by the default rule".  This option is found under Status: System logs: Settings.  You might try this just to see if it helps you isolate the issue.

        Check out my pfSense guides

        1 Reply Last reply Reply Quote 0
        • P
          phospher
          last edited by

          I should also mention that Im logging every packet both blocked and permitted. This is not by choice..

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you aren't running tcpdump by hand or a packet capture from the GUI, that would be the system reading the pf log. So it would definitely be tied to trying to log every packet. (Seems a bit of overkill if you ask me, but to each their own…)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Extremely high rates of logging (as you see when running bunches of nmap scans and logging everything) are going to consume a lot of load with tcpdump. There are far more efficient ways to log all connections if you need to do so, NetFlow probably the best.

              1 Reply Last reply Reply Quote 0
              • P
                phospher
                last edited by

                Is there an opensource alternative to netflow?
                I'm logging all initial packets that create state. I haven't edited the pf config to log every single packet..

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  pfflowd package, softflowd. Google netflow site:doc.pfsense.org

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.