eliminating bogus port 43 exits

Hans de Hartog dehartog at rootsr.com
Mon Jun 15 10:12:46 UTC 2009 

Scott Bennett wrote:
>      Unfortunately, the above method is unlikely to see more than a tiny
> fraction of the port 43 exits, which are usually of very short duration.
>      Instead, try turning on info-level logging.  Then you can use something
> like
>
> /usr/bin/fgrep connection_edge_finished_connecting /var/log/tor/info.log | \
>  nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
>   nice +14 sort -n -g +7 -8 | uniq -c -f 7
>
> (Beware of linewrap in the line containing the /usr/bin/sed command.)  Note
> that your paths, options to sort(1) and uniq(1), etc. may vary, depending
> upon your operating system.  This example works properly for FreeBSD.  Also,
> use of nice is obviously optional, but a good idea if you're sharing a system
> with other users at the same time.  Output from the above looks like this:
>
>   39 Jun 14 03:19:02.223 [info] Exit to port 443
>    1 Jun 14 03:16:21.795 [info] Exit to port 6001
>    1 Jun 14 03:19:20.310 [info] Exit to port 6010
>    1 Jun 14 03:16:24.275 [info] Exit to port 6666
>
> and so on, where the number at the lefthand side is the number of exits for
> that port, and the date+timestamp is from the first occurrence in the log file
> of an exit for that port.  You may wish to change the final form of the output
> lines to suit your own taste.
>      I think you'll find that scanning an info-level log file gives you a
> very different result from looking at periodic samplings of netstat(1) output.
As promised, here are the results of Scott's script
24 hours after switching on info logging:

Sorted by port number (for ports < 1000)
   11 Jun 14 12:05:48.178 [info] Exit to port 21
    3 Jun 14 22:15:29.243 [info] Exit to port 22
    1 Jun 15 05:12:38.435 [info] Exit to port 29
 1191 Jun 14 11:51:28.925 [info] Exit to port 43
    2 Jun 15 03:39:32.109 [info] Exit to port 53
    1 Jun 14 12:54:54.073 [info] Exit to port 57
    2 Jun 15 05:19:21.415 [info] Exit to port 64
24043 Jun 14 11:07:00.997 [info] Exit to port 80
   25 Jun 14 12:37:02.716 [info] Exit to port 81
    5 Jun 14 11:29:10.296 [info] Exit to port 82
    2 Jun 14 16:34:00.878 [info] Exit to port 83
    3 Jun 14 18:04:02.749 [info] Exit to port 84
    5 Jun 14 11:16:10.207 [info] Exit to port 85
    1 Jun 14 14:52:40.523 [info] Exit to port 86
    4 Jun 14 13:41:44.467 [info] Exit to port 87
    3 Jun 14 16:34:02.507 [info] Exit to port 89
    1 Jun 15 04:44:09.560 [info] Exit to port 90
    1 Jun 15 04:27:40.454 [info] Exit to port 91
    1 Jun 14 23:32:00.738 [info] Exit to port 92
    1 Jun 15 01:24:52.137 [info] Exit to port 95
    1 Jun 14 16:12:14.378 [info] Exit to port 96
    4 Jun 15 00:03:03.627 [info] Exit to port 98
    4 Jun 14 16:08:53.067 [info] Exit to port 99
    1 Jun 15 03:42:39.595 [info] Exit to port 101
    2 Jun 14 14:00:35.252 [info] Exit to port 102
    1 Jun 14 18:04:49.153 [info] Exit to port 104
    1 Jun 14 11:38:37.984 [info] Exit to port 109
   48 Jun 14 14:38:07.948 [info] Exit to port 110
    6 Jun 14 15:22:22.942 [info] Exit to port 119
  541 Jun 14 12:00:24.675 [info] Exit to port 187
    1 Jun 14 21:36:46.609 [info] Exit to port 400
    1 Jun 15 04:55:13.365 [info] Exit to port 411
    1 Jun 14 19:16:05.586 [info] Exit to port 442
 2193 Jun 14 11:43:03.144 [info] Exit to port 443
    1 Jun 14 15:23:54.915 [info] Exit to port 462
    1 Jun 15 01:09:02.965 [info] Exit to port 554
    1 Jun 14 15:32:29.782 [info] Exit to port 623
    1 Jun 15 00:03:11.737 [info] Exit to port 666
    1 Jun 15 02:19:05.865 [info] Exit to port 800
    2 Jun 14 12:22:13.641 [info] Exit to port 808
    1 Jun 15 07:40:10.154 [info] Exit to port 809
    1 Jun 15 08:43:43.371 [info] Exit to port 888
   18 Jun 14 12:32:28.145 [info] Exit to port 995
<snip>

Reverse sorted by count
24043 Jun 14 11:07:00.997 [info] Exit to port 80
 2193 Jun 14 11:43:03.144 [info] Exit to port 443
 1191 Jun 14 11:51:28.925 [info] Exit to port 43
  541 Jun 14 12:00:24.675 [info] Exit to port 187
  464 Jun 14 11:26:03.550 [info] Exit to port 5001
  173 Jun 14 11:16:51.925 [info] Exit to port 2710
  165 Jun 14 11:12:34.809 [info] Exit to port 8080
  121 Jun 14 11:34:26.406 [info] Exit to port 6667
  119 Jun 14 11:26:27.558 [info] Exit to port 51413
   94 Jun 14 11:54:26.254 [info] Exit to port 7000
   89 Jun 14 11:24:18.469 [info] Exit to port 8000
   78 Jun 14 23:48:17.454 [info] Exit to port 5004
   62 Jun 14 13:36:26.436 [info] Exit to port 5050
   48 Jun 14 14:38:07.948 [info] Exit to port 110
<snip>

Will blocking/restricting port 43 improve the performance
of the tor-network? Or do we need more info (e.g. KBs/port/sec)?

Hans de Hartog

More information about the tor-talk mailing list