p0f maxing out CPU core?

brt

Well-Known Member
Jul 9, 2015
104
10
68
US
cPanel Access Level
Root Administrator
I've noticed the p0f process maxing out a CPU core (99/100%) for a matter of hours -- often 5+ hours solid -- throughout the day. Is this doing anything productive, or likely a glitch?
 

per.hertz

Registered
Oct 14, 2014
3
0
1
cPanel Access Level
Reseller Owner
I have the same symptoms, i.e. p0f maxing out cpu - this is the result of a lsof -p [pid]:

Code:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
p0f 3740 cpanelconnecttrack cwd DIR 252,5 4096 4719863 /var/cpanel/userhomes/cpanelconnecttrack
p0f 3740 cpanelconnecttrack rtd DIR 252,5 4096 4719863 /var/cpanel/userhomes/cpanelconnecttrack
p0f 3740 cpanelconnecttrack txt REG 252,5 358547 15074803 /usr/local/cpanel/3rdparty/sbin/p0f
p0f 3740 cpanelconnecttrack DEL REG 252,5 17432978 /lib64/libnss_files-2.12.so
p0f 3740 cpanelconnecttrack mem REG 0,6 73627162 socket:[73627162] (stat: No such file or directory)
p0f 3740 cpanelconnecttrack DEL REG 252,5 17432680 /lib64/libc-2.12.so
p0f 3740 cpanelconnecttrack DEL REG 252,5 12980880 /usr/lib64/libpcap.so.1.4.0
p0f 3740 cpanelconnecttrack DEL REG 252,5 17432604 /lib64/ld-2.12.so
p0f 3740 cpanelconnecttrack 0r CHR 1,3 0t0 3793 /dev/null
p0f 3740 cpanelconnecttrack 1w REG 252,5 541 4723497 /var/run/restartsrv/startup/p0f
p0f 3740 cpanelconnecttrack 2w REG 252,5 541 4723497 /var/run/restartsrv/startup/p0f
p0f 3740 cpanelconnecttrack 3u pack 73627162 0t0 ALL type=SOCK_DGRAM
p0f 3740 cpanelconnecttrack 4u unix 0xffff8802182f52c0 0t0 73627163 /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket
top shows:
upload_2015-8-26_11-58-54.png
 
Last edited by a moderator:

brt

Well-Known Member
Jul 9, 2015
104
10
68
US
cPanel Access Level
Root Administrator
Results below. It's been at 100% cpu all morning today. Server is otherwise working fine, it appears, but if I would reboot, p0f wouldn't be maxing out like this, which makes me think it's a glitch more than it's actually doing anything...
 

Attachments

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Internal case CPANEL-699 aims to improve the performance for passive OS fingerprinting:

Fixed case CPANEL-699: Avoid p0f watching port 80 and 443 for performance reasons.

It's included with cPanel version 11.52, which is currently only available in the "Edge" build tier.

Thank you.
 

brt

Well-Known Member
Jul 9, 2015
104
10
68
US
cPanel Access Level
Root Administrator
Any ETA as to when that will hit RELEASE? This is a constant, every day - all day thing I'm seeing, and it's -always- p0f running at 99/100% on one core.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
New Any ETA as to when that will hit RELEASE? This is a constant, every day - all day thing I'm seeing, and it's -always- p0f running at 99/100% on one core.
There's currently no specific time frame, however you can disable it via "WHM >> Service Configuration >> Service Manager" in the meantime. It's named "Passive OS Fingerprinting Daemon".

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
The Passive OS Fingerprinting daemon reports the visitor's operating system and other information for email notifications. This information helps you quickly identify visitors that trigger events that cause alerts.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
killing cpu here too. please update this thread when released.
Could you verify which version of cPanel is installed on your system? Internal case CPANEL-699 is already included with all 11.52 release tiers.

Thank you.
 

brt

Well-Known Member
Jul 9, 2015
104
10
68
US
cPanel Access Level
Root Administrator
This may be a dumb question, but which service(s) are you restarting / what script are you using to do so?
This is still affecting us. We're running 11.52.1.2 RELEASE.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
This is still affecting us. We're running 11.52.1.2 RELEASE.
Could you open a support ticket using the link in my signature and reference case CPANEL-2092? You can post the ticket number here so we can update this thread with the outcome.

Thank you.