tcpreplay occupies 100% CPU

Question

I'm running a pcap file of size 1G using tcpreplay command to check any any malicious traffic or not. Command took approx. more than 5 hours though the system has enough cores and RAM.

System RAM: 16G Core : 8

 PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 1538 root      20   0   11980   2576   1848 R 100.0  0.0 340:14.65 tcpreplay
 4235 root      20   0   41940   3844   3092 R   0.3  0.0   0:05.50 top
32459 root      20   0       0      0      0 I   0.3  0.0   0:00.69 kworker/6:1 

root@test-vm:~# pidof tcpreplay |xargs -I{} ps -p {} -o etime,cmd
    ELAPSED CMD
   05:36:45 /usr/local/bin/tcpreplay -q -p 100 --cachefile=cachefile3 --intf1=ens225 --intf2=ens193 out3.pcap

I can provide pps to 1000. Increasing pps, sometimes doesnt gives proper result. So I like to stick with 100pps.

Is there any way I can reduce the execution time? Can we make tcpreplay to run in multicores?

score 0 · Answer 1 · answered Sep 06 '19 at 16:29

What version of Tcpreplay are you running? Version 4.3.1 fixed an issue with --pps option, ensuring that the selected rate works with a variety of values. Barring that you can use --mbps option to control speed based on data rate. That has worked reliably in version 4.0 and higher.

I recommend trying the latest release of Tcpreplay.

tcpreplay occupies 100% CPU

1 Answers1