tor-ctrl-observer - Tor Connection Destination Viewer

From Whonix
(Redirected from Tor-ctrl-observe)
Jump to navigation Jump to search


Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.

What tor-ctrl-observer is[edit]

Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.

Sample printout:

250-stream-status=1094 SENTCONNECT 20
250-stream-status=1094 SUCCEEDED 20

tor-ctrl-observer is especially useful in combination with Whonix ™ because:
All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4] [5] [6] [7]

tor-ctrl-observer operates in sane, secure way by using Tor's control protocol to make information visible to users that Tor is internally processing and ready to share with users on request anyhow.

tor-ctrl-observer Advantages[edit]


In Whonix-Gateway ™.

1. Open a terminal.

2. Run tor-ctrl-observer.


3. Terminate tor-ctrl-observer with signal sigint.

Press keyboard keys Ctrl + C.

What tor-ctrl-observer is not[edit]

tor-ctrl-observer does not attempt to be, is not and cannot be a:

  • Network level leak tests replacement: In illustrative language, this is because tor-ctrl-observer does only nicely ask Tor "please show me all the connections you are creating". It is then up to Tor to honor the request. Tor might generally do so but if there were bugs in the Tor control protocol then tor-ctrl-observer could not catch these. If connections are by-passing Tor, in other words not using Tor then Tor is obviously not aware of these connections and therefore tor-ctrl-observer cannot observe such connections.
  • Tor auditor: For the same reason as above, tor-ctrl-observer cannot be expected to find bugs in Tor.
  • Tor Controller: Such as Nyx. What is the difference between nyx and tor-ctrl-observer? nyx shows information about which Tor circuits (Bridges, Tor Entry Guards, Tor middle or exit relays) are used but not the final connection destinations. On the other hand, tor-ctrl-observer shows information about final connection destinations.

Forum Discussion[edit]

See Also[edit]


  1. Since Whonix ™ version 0.2.1 Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix ™ is hidden from persons or systems observing the network.
  2. To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
  3. For reader interest: If DNS settings on Whonix-Gateway ™ are changed in /etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt,, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation ™ (via /etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ /etc/resolv.conf does not affect Whonix-Workstation ™ DNS requests.
  5. Traffic generated by the Tor process itself which runs by Debian default under user debian-tor originating from Whonix-Gateway ™ can use the internet normally. This is because user debian-tor is exempted in Whonix-Gateway ™ Firewall, allowed to use the "normal" internet.
  6. The Tor software (as of (and no changed were announced at time of writing) almost exclusively uses TCP traffic. See also Tor wiki page, chapter UDP. For DNS, see next footnote.
  7. Tor does not require, use functional (system) DNS for most functionality. IP addresses of Tor directory authorities are hardcoded in the Tor software as per Tor upstream default. Exceptions include:
    • proxy settings using proxies with host names rather than IP addresses
    • the Tor pluggable transport meek lite to resolve domains used in setting url=, front= to IP addresses.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!