tor-ctrl-observer - Tor Connection Destination Viewer
Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.
What tor-ctrl-observer is[edit]
Ever wanted to know which information is sent by an application? tor-ctrl-observer
shows connection information of applications using Tor.
Sample printout:
250-stream-status=1094 SENTCONNECT 20 firefox.settings.services.mozilla.com:443 250-stream-status=1094 SUCCEEDED 20 18.64.79.82:443
tor-ctrl-observer
is especially useful in combination with Whonix ™ because:
All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4] [5] [6] [7]
tor-ctrl-observer
operates in sane, secure way by using Tor's control protocol to make information visible to users that Tor is internally processing and ready to share with users on request anyhow.
tor-ctrl-observer Advantages[edit]
- application level leak testing:
tor-ctrl-observer
can be used to observe application's network connections.- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
(which is a regression of Firefox is phoning home during start-up in Tor Browser based on ESR 68
) has been identified and bug reported to The Tor Project by
tor-ctrl-observer
developer nyxnor.
- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
Usage[edit]
In Whonix-Gateway ™.
1. Open a terminal.
2. Run tor-ctrl-observer
.
tor-ctrl-observer
3. Terminate tor-ctrl-observer
with signal sigint.
Press keyboard keys Ctrl
+ C
.
What tor-ctrl-observer is not[edit]
tor-ctrl-observer
does not attempt to be, is not and cannot be a:
- Network level leak tests replacement: In illustrative language, this is because
tor-ctrl-observer
does only nicely ask Tor "please show me all the connections you are creating". It is then up to Tor to honor the request. Tor might generally do so but if there were bugs in the Tor control protocol thentor-ctrl-observer
could not catch these. If connections are by-passing Tor, in other words not using Tor then Tor is obviously not aware of these connections and thereforetor-ctrl-observer
cannot observe such connections. - Tor auditor: For the same reason as above,
tor-ctrl-observer
cannot be expected to find bugs in Tor. - Tor Controller: Such as Nyx. What is the difference between
nyx
andtor-ctrl-observer
?nyx
shows information about which Tor circuits (Bridges, Tor Entry Guards, Tor middle or exit relays) are used but not the final connection destinations. On the other hand,tor-ctrl-observer
shows information about final connection destinations.
Forum Discussion[edit]
https://forums.whonix.org/t/tor-ctrl-tor-control-port-command-line-tool/8074/41
See Also[edit]
Footnotes[edit]
- ↑
Since Whonix ™ version
0.2.1
Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix ™ is hidden from persons or systems observing the network. - ↑ To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
- ↑
For reader interest: If DNS settings on Whonix-Gateway ™ are changed in
/etc/resolv.conf
, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor
SocksPort
(see Stream Isolation). - ↑
Whonix-Workstation ™ default applications are configured to use separate Tor
SocksPorts
(see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for examplenslookup
- will use the default DNS server configured in Whonix-Workstation ™ (via/etc/network/interfaces
), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™/etc/resolv.conf
does not affect Whonix-Workstation ™ DNS requests. - ↑
Traffic generated by the Tor process itself which runs by Debian default under user
debian-tor
originating from Whonix-Gateway ™ can use the internet normally. This is because userdebian-tor
is exempted in Whonix-Gateway ™ Firewall, allowed to use the "normal" internet. - ↑
The Tor software (as of
0.4.5.6
) (and no changed were announced at time of writing) almost exclusively uses TCP traffic. See also Tor wiki page, chapter UDP. For DNS, see next footnote. - ↑
Tor does not require, use functional (system) DNS for most functionality. IP addresses of Tor directory authorities are hardcoded in the Tor software as per Tor upstream default. Exceptions include:
- proxy settings using proxies with host names rather than IP addresses
- the Tor pluggable transport meek lite to resolve domains used in setting
url=
,front=
to IP addresses.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!