Unfortunately, the above method is unlikely to see more than a tiny
fraction of the port 43 exits, which are usually of very short duration.
Instead, try turning on info-level logging. Then you can use something
like
/usr/bin/fgrep connection_edge_finished_connecting /var/log/tor/info.log | \
nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
nice +14 sort -n -g +7 -8 | uniq -c -f 7
(Beware of linewrap in the line containing the /usr/bin/sed command.) Note
that your paths, options to sort(1) and uniq(1), etc. may vary, depending
upon your operating system. This example works properly for FreeBSD. Also,
use of nice is obviously optional, but a good idea if you're sharing a system
with other users at the same time. Output from the above looks like this:
39 Jun 14 03:19:02.223 [info] Exit to port 443
1 Jun 14 03:16:21.795 [info] Exit to port 6001
1 Jun 14 03:19:20.310 [info] Exit to port 6010
1 Jun 14 03:16:24.275 [info] Exit to port 6666
and so on, where the number at the lefthand side is the number of exits for
that port, and the date+timestamp is from the first occurrence in the log file
of an exit for that port. You may wish to change the final form of the output
lines to suit your own taste.
I think you'll find that scanning an info-level log file gives you a
very different result from looking at periodic samplings of netstat(1) output.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************