General Questions

Can anyone give me tips as to how I can find out why my m0n0wall CPU is running at 100%?

I have a P4 2.8GHz with two NIC's.  Only really working with captive portal.

I know I have about 2500 sessions that go though it as I have a system on the outbound end that tells me this. 

Also on another note the DHCP leases page under diag will not load.

Ideas?

Try running the top command from the /exec.php page.

wow that was a quick response.  I ran top and I see that dnsmasq is the top thing running.  I will see if there is any way to troubleshoot why this is running so high.

For some reason I believe You might have a packet flood probably with DHCP packets that could be caused usually by a switching loop, or malicious intentions.

My suggestion is to inspect the interface traffic with traffic sniffer tool and interpret the data with packet analyzer tool.
Also check other interfaces on the same broadcast domain, usually on the same switch.

PS: If You suspect in dnsmasq turn it off or kill it temporary to check if it's the cause.

The only time I've seen dnsmasq at 100% CPU is if you create a DNS forwarding loop. Most commonly, you configure m0n0wall to use a DNS server which is configured to use m0n0wall as its DNS server (or similar circumstances with the same end result). So m0n0wall sends the query to its DNS server, which sends it to m0n0wall, which sends it back, and loops it forever and ever as fast as it can.

It is possible someone is using dnsmasq to tunnel their packets to avoid your portal.  It's not that common but is possible.

Setting up tcpdump would help

I am not really sure if it was DNS or if that was a onetime thing.  I still am having load averages like 5.10   6.21   16.72. 

I am not sure what the issue is.  Most of the time 4 or 5 php's are on the top of the list with top but with load averages this high I expect to see some IO wait. 

Does anyone think putting more hardware being this will help?  Will a true multi core system help?