Tcpdump high CPU

phospher · Apr 11, 2011, 3:47 PM

Any ideas why tcpdump would be causing such a high cpu load?
I'm currently running build 2.0-RC1 (i386)
built on Wed Mar 2 03:30:11 EST 2011. We are running a lot of nmap scans from behind these firewalls so I'm thinking that pf logging is suspect here.


last pid:  4449;  load averages:  1.26,  1.22,  1.00    up 6+22:30:28  10:46:38
47 processes:  5 running, 42 sleeping
CPU: 84.3% user,  4.1% nice, 11.2% system,  0.4% interrupt,  0.0% idle
Mem: 243M Active, 23M Inact, 74M Wired, 1128K Cache, 53M Buf, 1650M Free
Swap: 2048M Total, 2048M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
26376 root        1 114    0   203M   200M RUN     22.2H 85.99% tcpdump
19877 root        1  44    0  5116K  3324K select  70:40  0.00% openvpn
 2252 root        1  44    0  5116K  3324K select  47:18  0.00% openvpn
45631 root        1  44    0  6140K  4452K select  33:25  0.00% openvpn
57492 root        1  76   20  6728K  4644K piperd  17:58  0.00% sh
26646 root        1  44    0  3316K   924K piperd  10:06  0.00% logger
11520 root        1  44    0  5116K  3324K select   6:29  0.00% openvpn
34223 root        1  64   20  3316K  1340K select   3:04  0.00% apinger
26640 root        1  44    0  7612K  5664K kqread   1:21  0.00% lighttpd
10836 root        1  76    0 54708K 19548K accept   0:19  0.00% php
57488 root        1  76    0 54708K 19104K accept   0:14  0.00% php
14478 root        1  59    0 53684K 17472K accept   0:12  0.00% php
48273 root        1  56    0 54708K 18544K accept   0:12  0.00% php
45162 nobody      1  44    0  5552K  2692K select   0:10  0.00% dnsmasq
59997 root        1  44    0  3404K  1372K nanslp   0:04  0.00% cron
 1480 root        1  44    0  3316K  1348K select   0:03  0.00% ntpd
 4909 root        1  76    0  3316K  1036K nanslp   0:02  0.00% minicron

Any input is appreciated!

skear · Apr 11, 2011, 4:11 PM

I ran into this issue once and was able to resolve it by unchecking "Log packets blocked by the default rule". This option is found under Status: System logs: Settings. You might try this just to see if it helps you isolate the issue.

phospher · Apr 11, 2011, 4:17 PM

I should also mention that Im logging every packet both blocked and permitted. This is not by choice..

jimp · Apr 11, 2011, 7:17 PM

If you aren't running tcpdump by hand or a packet capture from the GUI, that would be the system reading the pf log. So it would definitely be tied to trying to log every packet. (Seems a bit of overkill if you ask me, but to each their own…)

cmb · Apr 12, 2011, 3:06 AM

Extremely high rates of logging (as you see when running bunches of nmap scans and logging everything) are going to consume a lot of load with tcpdump. There are far more efficient ways to log all connections if you need to do so, NetFlow probably the best.

phospher · Apr 12, 2011, 3:23 AM

Is there an opensource alternative to netflow?
I'm logging all initial packets that create state. I haven't edited the pf config to log every single packet..

cmb · Apr 12, 2011, 4:41 AM

pfflowd package, softflowd. Google netflow site:doc.pfsense.org