[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: eliminating bogus port 43 exits



Scott Bennett wrote:
     Unfortunately, the above method is unlikely to see more than a tiny
fraction of the port 43 exits, which are usually of very short duration.
     Instead, try turning on info-level logging.  Then you can use something
like

/usr/bin/fgrep connection_edge_finished_connecting /var/log/tor/info.log | \
 nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
  nice +14 sort -n -g +7 -8 | uniq -c -f 7

(Beware of linewrap in the line containing the /usr/bin/sed command.)  Note
that your paths, options to sort(1) and uniq(1), etc. may vary, depending
upon your operating system.  This example works properly for FreeBSD.  Also,
use of nice is obviously optional, but a good idea if you're sharing a system
with other users at the same time.  Output from the above looks like this:

  39 Jun 14 03:19:02.223 [info] Exit to port 443
   1 Jun 14 03:16:21.795 [info] Exit to port 6001
   1 Jun 14 03:19:20.310 [info] Exit to port 6010
   1 Jun 14 03:16:24.275 [info] Exit to port 6666

and so on, where the number at the lefthand side is the number of exits for
that port, and the date+timestamp is from the first occurrence in the log file
of an exit for that port.  You may wish to change the final form of the output
lines to suit your own taste.
     I think you'll find that scanning an info-level log file gives you a
very different result from looking at periodic samplings of netstat(1) output.
As promised, here are the results of Scott's script
24 hours after switching on info logging:

Sorted by port number (for ports < 1000)
  11 Jun 14 12:05:48.178 [info] Exit to port 21
   3 Jun 14 22:15:29.243 [info] Exit to port 22
   1 Jun 15 05:12:38.435 [info] Exit to port 29
1191 Jun 14 11:51:28.925 [info] Exit to port 43
   2 Jun 15 03:39:32.109 [info] Exit to port 53
   1 Jun 14 12:54:54.073 [info] Exit to port 57
   2 Jun 15 05:19:21.415 [info] Exit to port 64
24043 Jun 14 11:07:00.997 [info] Exit to port 80
  25 Jun 14 12:37:02.716 [info] Exit to port 81
   5 Jun 14 11:29:10.296 [info] Exit to port 82
   2 Jun 14 16:34:00.878 [info] Exit to port 83
   3 Jun 14 18:04:02.749 [info] Exit to port 84
   5 Jun 14 11:16:10.207 [info] Exit to port 85
   1 Jun 14 14:52:40.523 [info] Exit to port 86
   4 Jun 14 13:41:44.467 [info] Exit to port 87
   3 Jun 14 16:34:02.507 [info] Exit to port 89
   1 Jun 15 04:44:09.560 [info] Exit to port 90
   1 Jun 15 04:27:40.454 [info] Exit to port 91
   1 Jun 14 23:32:00.738 [info] Exit to port 92
   1 Jun 15 01:24:52.137 [info] Exit to port 95
   1 Jun 14 16:12:14.378 [info] Exit to port 96
   4 Jun 15 00:03:03.627 [info] Exit to port 98
   4 Jun 14 16:08:53.067 [info] Exit to port 99
   1 Jun 15 03:42:39.595 [info] Exit to port 101
   2 Jun 14 14:00:35.252 [info] Exit to port 102
   1 Jun 14 18:04:49.153 [info] Exit to port 104
   1 Jun 14 11:38:37.984 [info] Exit to port 109
  48 Jun 14 14:38:07.948 [info] Exit to port 110
   6 Jun 14 15:22:22.942 [info] Exit to port 119
 541 Jun 14 12:00:24.675 [info] Exit to port 187
   1 Jun 14 21:36:46.609 [info] Exit to port 400
   1 Jun 15 04:55:13.365 [info] Exit to port 411
   1 Jun 14 19:16:05.586 [info] Exit to port 442
2193 Jun 14 11:43:03.144 [info] Exit to port 443
   1 Jun 14 15:23:54.915 [info] Exit to port 462
   1 Jun 15 01:09:02.965 [info] Exit to port 554
   1 Jun 14 15:32:29.782 [info] Exit to port 623
   1 Jun 15 00:03:11.737 [info] Exit to port 666
   1 Jun 15 02:19:05.865 [info] Exit to port 800
   2 Jun 14 12:22:13.641 [info] Exit to port 808
   1 Jun 15 07:40:10.154 [info] Exit to port 809
   1 Jun 15 08:43:43.371 [info] Exit to port 888
  18 Jun 14 12:32:28.145 [info] Exit to port 995
<snip>

Reverse sorted by count
24043 Jun 14 11:07:00.997 [info] Exit to port 80
2193 Jun 14 11:43:03.144 [info] Exit to port 443
1191 Jun 14 11:51:28.925 [info] Exit to port 43
 541 Jun 14 12:00:24.675 [info] Exit to port 187
 464 Jun 14 11:26:03.550 [info] Exit to port 5001
 173 Jun 14 11:16:51.925 [info] Exit to port 2710
 165 Jun 14 11:12:34.809 [info] Exit to port 8080
 121 Jun 14 11:34:26.406 [info] Exit to port 6667
 119 Jun 14 11:26:27.558 [info] Exit to port 51413
  94 Jun 14 11:54:26.254 [info] Exit to port 7000
  89 Jun 14 11:24:18.469 [info] Exit to port 8000
  78 Jun 14 23:48:17.454 [info] Exit to port 5004
  62 Jun 14 13:36:26.436 [info] Exit to port 5050
  48 Jun 14 14:38:07.948 [info] Exit to port 110
<snip>

Will blocking/restricting port 43 improve the performance
of the tor-network? Or do we need more info (e.g. KBs/port/sec)?

Hans de Hartog