[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: eliminating bogus port 43 exits



     On Sun, 14 Jun 2009 09:57:31 +0200 Hans de Hartog <dehartog@xxxxxxxxxx>
wrote:
>Let's get back to the facts. I ran the following script last night
>every 10 seconds for 10 hours on my exit node (lowest possible
>bandwidth, i.e. 20 KBs).
>Port Connections(cumulative for all runs)
>443   131013
>80     31367
>43     306
>Other ports neglectable, so why the fuzz about port 43?
>The script:
>netstat -n | awk '
>/^tcp4/ { split($5, p, ".")
>   if(p[5] < 1000) cnt[p[5]]++
>}
>END { for (a in cnt) {
>    printf("%4d %8d\n", a, cnt[a])
>} }'
>
     Unfortunately, the above method is unlikely to see more than a tiny
fraction of the port 43 exits, which are usually of very short duration.
     Instead, try turning on info-level logging.  Then you can use something
like

/usr/bin/fgrep connection_edge_finished_connecting /var/log/tor/info.log | \
 nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
  nice +14 sort -n -g +7 -8 | uniq -c -f 7

(Beware of linewrap in the line containing the /usr/bin/sed command.)  Note
that your paths, options to sort(1) and uniq(1), etc. may vary, depending
upon your operating system.  This example works properly for FreeBSD.  Also,
use of nice is obviously optional, but a good idea if you're sharing a system
with other users at the same time.  Output from the above looks like this:

  39 Jun 14 03:19:02.223 [info] Exit to port 443
   1 Jun 14 03:16:21.795 [info] Exit to port 6001
   1 Jun 14 03:19:20.310 [info] Exit to port 6010
   1 Jun 14 03:16:24.275 [info] Exit to port 6666

and so on, where the number at the lefthand side is the number of exits for
that port, and the date+timestamp is from the first occurrence in the log file
of an exit for that port.  You may wish to change the final form of the output
lines to suit your own taste.
     I think you'll find that scanning an info-level log file gives you a
very different result from looking at periodic samplings of netstat(1) output.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************