• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Tcpdump high CPU

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
7 Posts 4 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    phospher
    last edited by Apr 11, 2011, 3:47 PM

    Any ideas why tcpdump would be causing such a high cpu load?
    I'm currently running build 2.0-RC1 (i386)
    built on Wed Mar 2 03:30:11 EST 2011. We are running a lot of nmap scans from behind these firewalls so I'm thinking that pf logging is suspect here.

    
    last pid:  4449;  load averages:  1.26,  1.22,  1.00    up 6+22:30:28  10:46:38
    47 processes:  5 running, 42 sleeping
    CPU: 84.3% user,  4.1% nice, 11.2% system,  0.4% interrupt,  0.0% idle
    Mem: 243M Active, 23M Inact, 74M Wired, 1128K Cache, 53M Buf, 1650M Free
    Swap: 2048M Total, 2048M Free
    
      PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
    26376 root        1 114    0   203M   200M RUN     22.2H 85.99% tcpdump
    19877 root        1  44    0  5116K  3324K select  70:40  0.00% openvpn
     2252 root        1  44    0  5116K  3324K select  47:18  0.00% openvpn
    45631 root        1  44    0  6140K  4452K select  33:25  0.00% openvpn
    57492 root        1  76   20  6728K  4644K piperd  17:58  0.00% sh
    26646 root        1  44    0  3316K   924K piperd  10:06  0.00% logger
    11520 root        1  44    0  5116K  3324K select   6:29  0.00% openvpn
    34223 root        1  64   20  3316K  1340K select   3:04  0.00% apinger
    26640 root        1  44    0  7612K  5664K kqread   1:21  0.00% lighttpd
    10836 root        1  76    0 54708K 19548K accept   0:19  0.00% php
    57488 root        1  76    0 54708K 19104K accept   0:14  0.00% php
    14478 root        1  59    0 53684K 17472K accept   0:12  0.00% php
    48273 root        1  56    0 54708K 18544K accept   0:12  0.00% php
    45162 nobody      1  44    0  5552K  2692K select   0:10  0.00% dnsmasq
    59997 root        1  44    0  3404K  1372K nanslp   0:04  0.00% cron
     1480 root        1  44    0  3316K  1348K select   0:03  0.00% ntpd
     4909 root        1  76    0  3316K  1036K nanslp   0:02  0.00% minicron
    
    

    Any input is appreciated!

    1 Reply Last reply Reply Quote 0
    • S
      skear
      last edited by Apr 11, 2011, 4:11 PM

      I ran into this issue once and was able to resolve it by unchecking "Log packets blocked by the default rule".  This option is found under Status: System logs: Settings.  You might try this just to see if it helps you isolate the issue.

      Check out my pfSense guides

      1 Reply Last reply Reply Quote 0
      • P
        phospher
        last edited by Apr 11, 2011, 4:17 PM

        I should also mention that Im logging every packet both blocked and permitted. This is not by choice..

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 11, 2011, 7:17 PM

          If you aren't running tcpdump by hand or a packet capture from the GUI, that would be the system reading the pf log. So it would definitely be tied to trying to log every packet. (Seems a bit of overkill if you ask me, but to each their own…)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Apr 12, 2011, 3:06 AM

            Extremely high rates of logging (as you see when running bunches of nmap scans and logging everything) are going to consume a lot of load with tcpdump. There are far more efficient ways to log all connections if you need to do so, NetFlow probably the best.

            1 Reply Last reply Reply Quote 0
            • P
              phospher
              last edited by Apr 12, 2011, 3:23 AM

              Is there an opensource alternative to netflow?
              I'm logging all initial packets that create state. I haven't edited the pf config to log every single packet..

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Apr 12, 2011, 4:41 AM

                pfflowd package, softflowd. Google netflow site:doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                6 out of 7
                • First post
                  6/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received