Hi Wan Tae Kim,
The 100% CPU utilization is actually expected behavior and should not be cause for concern. To confirm the actual load on the sensor you can use the command:
show stat virt
and check the line "Processing Load Percentage ="
Additionally, you can check the output of:
show int
and verify that the number of "Receive FIFO Overruns" is low/zero, indicating that the sensor is able to keep up with the rate of traffic being sent to it via your SPAN session.
Here are examples of both outputs with the important lines in bold
sensor# show stat virt
Virtual Sensor Statistics
Statistics for Virtual Sensor vs0
Name of current Signature-Defintion instance = sig0
Name of current Event-Action-Rules instance = rules0
List of interfaces monitored by this virtual sensor = InterfacePair0 subinterface 0,GigabitEthernet0/3 subinterface 0
General Statistics for this Virtual Sensor
Number of seconds since a reset of the statistics = 1627117
MemoryAlloPercent = 31
MemoryUsedPercent = 31
MemoryMaxCapacity = 1800000
MemoryMaxHighUsed = 634880
MemoryCurrentAllo = 566529
MemoryCurrentUsed = 561597
Processing Load Percentage = 1
Total packets processed since reset = 7875642
Total IP packets processed since reset = 3782287
Total IPv4 packets processed since reset = 3755319
Total IPv6 packets processed since reset = 26968
Total IPv6 AH packets processed since reset = 0
Total IPv6 ESP packets processed since reset = 0
Total IPv6 Fragment packets processed since reset = 0
Total IPv6 Routing Header packets processed since reset = 0
Total IPv6 ICMP packets processed since reset = 94
Total packets that were not IP processed since reset = 4093355
Total TCP packets processed since reset = 204508
Total UDP packets processed since reset = 2252490
Total ICMP packets processed since reset = 14688
Total packets that were not TCP, UDP, or ICMP processed since reset = 1310601
Total ARP packets processed since reset = 2923053
Total ISL encapsulated packets processed since reset = 0
Total 802.1q encapsulated packets processed since reset = 0
Total packets with bad IP checksums processed since reset = 0
Total packets with bad layer 4 checksums processed since reset = 268
Total number of bytes processed since reset = 1029553988
The rate of packets per second since reset = 4
The rate of bytes per second since reset = 632
The average bytes per packet since reset = 130
Denied Address Information
Number of Active Denied Attackers = 0
Number of Denied Attackers Inserted = 0
Number of Denied Attacker Victim Pairs Inserted = 0
Number of Denied Attacker Service Pairs Inserted = 0
Number of Denied Attackers Total Hits = 0
Number of times max-denied-attackers limited creation of new entry = 0
Number of exec Clear commands during uptime = 0
Denied Attackers and hit count for each.
Denied Attackers with percent denied and hit count for each.
sensor# show int
Interface Statistics
Total Packets Received = 29934896
Total Bytes Received = 4010927826
Missed Packet Percentage = 0
Current Bypass Mode = Auto_off
MAC statistics from interface GigabitEthernet0/0
Interface function = Sensing interface
Description = Connected to Attacker Switch
Media Type = TX
Default Vlan = 0
Inline Mode = Paired with interface GigabitEthernet0/1
Pair Status = Up
Hardware Bypass Capable = No
Hardware Bypass Paired = N/A
Link Status = Up
Admin Enabled Status = Enabled
Link Speed = Auto_100
Link Duplex = Auto_Full
Missed Packet Percentage = 0
Total Packets Received = 4095925
Total Bytes Received = 298897396
Total Multicast Packets Received = 3431616
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 664379
Total Bytes Transmitted = 42520256
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Best Regards,
Justin
