Scott Bennett wrote:
Unfortunately, the above method is unlikely to see more than a tiny fraction of the port 43 exits, which are usually of very short duration. Instead, try turning on info-level logging. Then you can use something like /usr/bin/fgrep connection_edge_finished_connecting /var/log/tor/info.log | \ nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \ nice +14 sort -n -g +7 -8 | uniq -c -f 7 (Beware of linewrap in the line containing the /usr/bin/sed command.) Note that your paths, options to sort(1) and uniq(1), etc. may vary, depending upon your operating system. This example works properly for FreeBSD. Also, use of nice is obviously optional, but a good idea if you're sharing a system with other users at the same time. Output from the above looks like this: 39 Jun 14 03:19:02.223 [info] Exit to port 443 1 Jun 14 03:16:21.795 [info] Exit to port 6001 1 Jun 14 03:19:20.310 [info] Exit to port 6010 1 Jun 14 03:16:24.275 [info] Exit to port 6666 and so on, where the number at the lefthand side is the number of exits for that port, and the date+timestamp is from the first occurrence in the log file of an exit for that port. You may wish to change the final form of the output lines to suit your own taste. I think you'll find that scanning an info-level log file gives you a very different result from looking at periodic samplings of netstat(1) output.
As promised, here are the results of Scott's script 24 hours after switching on info logging: Sorted by port number (for ports < 1000) 11 Jun 14 12:05:48.178 [info] Exit to port 21 3 Jun 14 22:15:29.243 [info] Exit to port 22 1 Jun 15 05:12:38.435 [info] Exit to port 29 1191 Jun 14 11:51:28.925 [info] Exit to port 43 2 Jun 15 03:39:32.109 [info] Exit to port 53 1 Jun 14 12:54:54.073 [info] Exit to port 57 2 Jun 15 05:19:21.415 [info] Exit to port 64 24043 Jun 14 11:07:00.997 [info] Exit to port 80 25 Jun 14 12:37:02.716 [info] Exit to port 81 5 Jun 14 11:29:10.296 [info] Exit to port 82 2 Jun 14 16:34:00.878 [info] Exit to port 83 3 Jun 14 18:04:02.749 [info] Exit to port 84 5 Jun 14 11:16:10.207 [info] Exit to port 85 1 Jun 14 14:52:40.523 [info] Exit to port 86 4 Jun 14 13:41:44.467 [info] Exit to port 87 3 Jun 14 16:34:02.507 [info] Exit to port 89 1 Jun 15 04:44:09.560 [info] Exit to port 90 1 Jun 15 04:27:40.454 [info] Exit to port 91 1 Jun 14 23:32:00.738 [info] Exit to port 92 1 Jun 15 01:24:52.137 [info] Exit to port 95 1 Jun 14 16:12:14.378 [info] Exit to port 96 4 Jun 15 00:03:03.627 [info] Exit to port 98 4 Jun 14 16:08:53.067 [info] Exit to port 99 1 Jun 15 03:42:39.595 [info] Exit to port 101 2 Jun 14 14:00:35.252 [info] Exit to port 102 1 Jun 14 18:04:49.153 [info] Exit to port 104 1 Jun 14 11:38:37.984 [info] Exit to port 109 48 Jun 14 14:38:07.948 [info] Exit to port 110 6 Jun 14 15:22:22.942 [info] Exit to port 119 541 Jun 14 12:00:24.675 [info] Exit to port 187 1 Jun 14 21:36:46.609 [info] Exit to port 400 1 Jun 15 04:55:13.365 [info] Exit to port 411 1 Jun 14 19:16:05.586 [info] Exit to port 442 2193 Jun 14 11:43:03.144 [info] Exit to port 443 1 Jun 14 15:23:54.915 [info] Exit to port 462 1 Jun 15 01:09:02.965 [info] Exit to port 554 1 Jun 14 15:32:29.782 [info] Exit to port 623 1 Jun 15 00:03:11.737 [info] Exit to port 666 1 Jun 15 02:19:05.865 [info] Exit to port 800 2 Jun 14 12:22:13.641 [info] Exit to port 808 1 Jun 15 07:40:10.154 [info] Exit to port 809 1 Jun 15 08:43:43.371 [info] Exit to port 888 18 Jun 14 12:32:28.145 [info] Exit to port 995 <snip> Reverse sorted by count 24043 Jun 14 11:07:00.997 [info] Exit to port 80 2193 Jun 14 11:43:03.144 [info] Exit to port 443 1191 Jun 14 11:51:28.925 [info] Exit to port 43 541 Jun 14 12:00:24.675 [info] Exit to port 187 464 Jun 14 11:26:03.550 [info] Exit to port 5001 173 Jun 14 11:16:51.925 [info] Exit to port 2710 165 Jun 14 11:12:34.809 [info] Exit to port 8080 121 Jun 14 11:34:26.406 [info] Exit to port 6667 119 Jun 14 11:26:27.558 [info] Exit to port 51413 94 Jun 14 11:54:26.254 [info] Exit to port 7000 89 Jun 14 11:24:18.469 [info] Exit to port 8000 78 Jun 14 23:48:17.454 [info] Exit to port 5004 62 Jun 14 13:36:26.436 [info] Exit to port 5050 48 Jun 14 14:38:07.948 [info] Exit to port 110 <snip> Will blocking/restricting port 43 improve the performance of the tor-network? Or do we need more info (e.g. KBs/port/sec)? Hans de Hartog