Thread: Why does pppd (pppoe) go to 95% to 100% of CPU?
View Single Post

  #7 (permalink)  
Old 03-19-2007
Clifford Kite
 
Posts: n/a
Default Re: Why does pppd (pppoe) go to 95% to 100% of CPU?
hazzmat <hazzmat@unitedstatesgovernmentbellsouth.net> wrote:
> On Sun, 18 Mar 2007 17:25:46 -0500, Clifford Kite wrote:
> What does "tcpdump -vn -i ppp0" show at 95% plus?

> I was going to send this directly to you but then I saw you had outdone me
> in the email address obfuscation department.

It just seems better to have open discussions.

At this point I need to admit that I don't read tcpdump messages with
an expert eye, so prefix all my comments with "It appears to be" :-}.
Note also that I've shortened the IP addresses in my comments to the
last two octets.

> 22:46:47.683683 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 63.208.196.90.53: 5812 [1au] A? myrouter.homedns.org. (50)
> 22:46:47.768625 IP (tos 0x0, ttl 47, id 20391, offset 0, flags [none], proto: UDP (17), length: 271) 63.208.196.90.53 > 68.211.148.46.2048: 5812*- 1/5/6 myrouter.homedns.org. A[|domain]

Nameserver request by 148.46 and reply by 196.90.

> 22:47:03.167880 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 76) 68.211.148.46.123 > 216.27.185.42.123: NTPv4, length 48
> Client, Leap indicator: (0), Stratum 11, poll 9s, precision -18
> Root Delay: 0.000000, Root dispersion: 0.012802, Reference-ID: 127.127.1.0
> Reference Timestamp: 3383261163.122205999 (2007/03/18 22:46:03)
> Originator Timestamp: 3383260966.028969999 (2007/03/18 22:42:46)
> Receive Timestamp: 3383260966.085657999 (2007/03/18 22:42:46)
> Transmit Timestamp: 3383261223.167523999 (2007/03/18 22:47:03)
> Originator - Receive Timestamp: +0.056687999
> Originator - Transmit Timestamp: +257.138554000
> 22:47:03.278711 IP (tos 0x0, ttl 45, id 53813, offset 0, flags [DF], proto: UDP (17), length: 76) 216.27.185.42.123 > 68.211.148.46.123: NTPv4, length 48
> Server, Leap indicator: (0), Stratum 2, poll 9s, precision -20
> Root Delay: 0.064544, Root dispersion: 0.075027, Reference-ID: 192.43.244.18
> Reference Timestamp: 3383260953.416635999 (2007/03/18 22:42:33)
> Originator Timestamp: 3383261223.167523999 (2007/03/18 22:47:03)
> Receive Timestamp: 3383261223.223599999 (2007/03/18 22:47:03)
> Transmit Timestamp: 3383261223.223620999 (2007/03/18 22:47:03)
> Originator - Receive Timestamp: +0.056075999
> Originator - Transmit Timestamp: +0.056096999

Time update.

> 22:47:47.794580 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 63.208.196.90.53: 17877 [1au] A? myrouter.homedns.org. (50)
> 22:47:47.878019 IP (tos 0x0, ttl 47, id 63177, offset 0, flags [none], proto: UDP (17), length: 271) 63.208.196.90.53 > 68.211.148.46.2048: 17877*- 1/5/6 myrouter.homedns.org. A[|domain]

Nameserver request by 148.46 and reply by 196.90.

> 22:48:25.260800 IP (tos 0x0, ttl 127, id 10736, offset 0, flags [DF], proto: TCP (6), length: 48) 68.211.148.46.3033 > 68.215.208.239.80: S, cksum 0xb52c (correct), 2868897793:2868897793(0) win 16384 <mss 1460,nop,nop,sackOK>
> 22:48:28.263114 IP (tos 0x0, ttl 127, id 10737, offset 0, flags [DF], proto: TCP (6), length: 48) 68.211.148.46.3033 > 68.215.208.239.80: S, cksum 0xb52c (correct), 2868897793:2868897793(0) win 16384 <mss 1460,nop,nop,sackOK>
> 22:48:34.197737 IP (tos 0x0, ttl 127, id 10738, offset 0, flags [DF], proto: TCP (6), length: 48) 68.211.148.46.3033 > 68.215.208.239.80: S, cksum 0xb52c (correct), 2868897793:2868897793(0) win 16384 <mss 1460,nop,nop,sackOK>

148.46 looking for a web server on 208.239.

> 22:48:47.903381 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 63.208.196.90.53: 53689 [1au] A? myrouter.homedns.org. (50)
> 22:48:47.990133 IP (tos 0x0, ttl 47, id 44082, offset 0, flags [none], proto: UDP (17), length: 271) 63.208.196.90.53 > 68.211.148.46.2048: 53689*- 1/5/6 myrouter.homedns.org. A[|domain]

Nameserver request by 148.46 and reply by 196.90.

> 22:49:10.436550 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto: UDP (17), length: 485) 202.97.238.202.57877 > 68.211.148.46.1026: UDP, length 457
> 22:49:31.116522 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto: UDP (17), length: 485) 221.209.110.48.45878 > 68.211.148.46.1026: UDP, length 457

Probes to 148.46 port 1026.

> 22:49:48.016167 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 63.208.196.90.53: 54286 [1au] A? myrouter.homedns.org. (50)

Nameserver request by 148.46 to 196.90, unanswered. Note that the requests
have come at one minute intervals until now.

> 22:49:49.011043 IP (tos 0x0, ttl 127, id 11000, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1160 > 205.152.37.23.53: 162+ A? printer.myrouter.homedns.org. (50)
> 22:49:50.016800 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 204.13.249.81.53: 13612 [1au] A? myrouter.homedns.org. (50)
> 22:49:54.017927 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 78) 68.211.148.46.2048 > 204.13.250.81.53: 52486 [1au] A? myrouter.homedns.org. (50)
> 22:49:54.023732 IP (tos 0x0, ttl 127, id 11032, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1160 > 205.152.37.23.53: 11938+ A? printer.myrouter.homedns.org. (50)
> 22:49:58.018914 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 67) 68.211.148.46.2048 > 213.155.150.205.53: 59011 A? myrouter.homedns.org. (39)

Two nameserver requests from 148.46 to 37.23, one nameserver request to
each of 249.81, 250.81, and 150.205, all unanswered.

> 22:49:59.024773 IP (tos 0x0, ttl 127, id 11089, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1160 > 205.152.37.23.53: 16805+ A? printer.myrouter.homedns.org. (50)
> 22:49:59.154697 IP (tos 0x0, ttl 127, id 11094, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1027 > 205.152.37.23.53: 57252+ A? printer.myrouter.homedns.org. (50)
> 22:50:02.020093 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 67) 68.211.148.46.2048 > 63.170.10.81.53: 19736 A? myrouter.homedns.org. (39)
> 22:50:02.868708 IP (tos 0x0, ttl 127, id 11396, offset 0, flags [none], proto: UDP (17), length: 75) 68.211.148.46.1026 > 205.152.37.23.53: 5799+ A? vandals.myrouter.homedns.org. (47)
> 22:50:04.024710 IP (tos 0x0, ttl 127, id 11419, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1160 > 205.152.37.23.53: 1703+ A? printer.myrouter.homedns.org. (50)
> 22:50:04.154568 IP (tos 0x0, ttl 127, id 11422, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1027 > 205.152.37.23.53: 26022+ A? printer.myrouter.homedns.org. (50)

Six nameserver requests by 148.46 to 37.23, all unanswered.

> 22:50:06.026874 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 67) 68.211.148.46.2048 > 63.208.196.90.53: 42636 A? myrouter.homedns.org. (39)
> 22:50:06.029922 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 63.208.196.90.53: 21318% [1au] AAAA? ns1.dyndns.org. (43)
> 22:50:06.032884 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 63.208.196.90.53: 38091% [1au] AAAA? ns2.dyndns.org. (43)
> 22:50:06.035838 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 63.208.196.90.53: 38784% [1au] AAAA? NS3.DYNDNS.ORG. (43)
> 22:50:06.038799 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 63.208.196.90.53: 52160% [1au] AAAA? NS4.DYNDNS.ORG. (43)
> 22:50:06.041773 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 63.208.196.90.53: 45704% [1au] AAAA? ns5.dyndns.org. (43)

Six nameserver requests by 148.46 to 196.90, all unanswered.

> 22:50:08.027217 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 67) 68.211.148.46.2048 > 204.13.249.81.53: 22852 A? myrouter.homedns.org. (39)
> 22:50:08.031079 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.249.81.53: 5673% [1au] AAAA? ns1.dyndns.org. (43)
> 22:50:08.034071 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.249.81.53: 35620% [1au] AAAA? ns2.dyndns.org. (43)
> 22:50:08.037069 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.249.81.53: 57988% [1au] AAAA? NS3.DYNDNS.ORG. (43)
> 22:50:08.040063 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.249.81.53: 28994% [1au] AAAA? NS4.DYNDNS.ORG. (43)
> 22:50:08.043067 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.249.81.53: 56447% [1au] AAAA? ns5.dyndns.org. (43)

Six nameserver requests from 148.46 to 249.81 the first four unanswered...

> 22:50:08.090832 IP (tos 0x0, ttl 50, id 11337, offset 0, flags [none], proto: UDP (17), length: 122) 204.13.249.81.53 > 68.211.148.46.2048: 28994*- 0/1/1 (94)
> 22:50:08.094677 IP (tos 0x0, ttl 50, id 11343, offset 0, flags [none], proto: UDP (17), length: 122) 204.13.249.81.53 > 68.211.148.46.2048: 56447*- 0/1/1 (94)

but with replies to the last two.

> 22:50:09.155667 IP (tos 0x0, ttl 127, id 11437, offset 0, flags [none], proto: UDP (17), length: 78) 68.211.148.46.1026 > 205.152.37.23.53: 50617+ A? printer.myrouter.homedns.org. (50)
> 22:50:09.210146 IP (tos 0x0, ttl 57, id 64732, offset 0, flags [DF], proto: UDP (17), length: 108) 205.152.37.23.53 > 68.211.148.46.1026: 50617 2/0/0 printer.myrouter.homedns.org.[|domain]

Nameserver request from 148.46 to 37.23, reply by 37.23.

> 22:50:12.028322 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 67) 68.211.148.46.2048 > 204.13.250.81.53: 55874 A? myrouter.homedns.org. (39)
> 22:50:12.033103 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.250.81.53: 46783% [1au] AAAA? ns1.dyndns.org. (43)
> 22:50:12.036097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.250.81.53: 55034% [1au] AAAA? ns2.dyndns.org. (43)
> 22:50:12.039098 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 71) 68.211.148.46.2048 > 204.13.250.81.53: 13732% [1au] AAAA? NS3.DYNDNS.ORG. (43)

Four nameserver requests from 148.46 to 250.81...

> 22:50:12.140431 IP (tos 0x0, ttl 48, id 51859, offset 0, flags [none], proto: UDP (17), length: 260) 204.13.250.81.53 > 68.211.148.46.2048: 55874*- 1/5/5 myrouter.homedns.org. A[|domain]
> 22:50:12.144665 IP (tos 0x0, ttl 48, id 51860, offset 0, flags [none], proto: UDP (17), length: 118) 204.13.250.81.53 > 68.211.148.46.2048: 46783*- 0/1/1 (90)
> 22:50:12.155065 IP (tos 0x0, ttl 48, id 51863, offset 0, flags [none], proto: UDP (17), length: 122) 204.13.250.81.53 > 68.211.148.46.2048: 55034*- 0/1/1 (94)
> 22:50:12.155514 IP (tos 0x0, ttl 48, id 51866, offset 0, flags [none],
> proto: UDP (17), length: 122) 204.13.250.81.53 > 68.211.148.46.2048:
> 13732*- 0/1/1 (94)

with replies by 250.81 to those requests.

There were many nameserver requests by 148.46 to different hosts with no
answer, all within approximately 20 seconds. I'm not sure what is being
requested, or why there are no replies, but suspect if replies were forth
coming there would be no problem.

--
Clifford Kite

Reply With Quote