tor-ctrl-observer - Tor Connection Destination Viewer
Donate
Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.
What tor-ctrl-observer is[edit]
Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.
Sample printout:
250-stream-status=1094 SENTCONNECT 20 firefox.settings.services.mozilla.com:443 250-stream-status=1094 SUCCEEDED 20 18.64.79.82:443
tor-ctrl-observer is especially useful in combination with Whonix because:
All traffic originating from Whonix-Workstation™ and Whonix-Gateway™ is routed over Tor. [1] [2] [3] [4] [5] [6] [7]
tor-ctrl-observer operates in sane, secure way by using Tor's control protocol to make information visible to users that Tor is internally processing and ready to share with users on request anyhow.
tor-ctrl-observer Advantages[edit]
- application level leak testing:
tor-ctrl-observercan be used to observe application's network connections.- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
(which is a regression of Firefox is phoning home during start-up in Tor Browser based on ESR 68) has been identified and bug reported to The Tor Project by tor-ctrl-observerdeveloper nyxnor.
- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
Usage[edit]
In Whonix-Gateway™.
1. Open a terminal.
2. Run tor-ctrl-observer.
tor-ctrl-observer
3. Terminate tor-ctrl-observer with signal sigint.
Press keyboard keys Ctrl + C.
What tor-ctrl-observer is not[edit]
tor-ctrl-observer does not attempt to be, is not and cannot be a:
- Network level leak tests replacement: In illustrative language, this is because
tor-ctrl-observerdoes only nicely ask Tor "please show me all the connections you are creating". It is then up to Tor to honor the request. Tor might generally do so but if there were bugs in the Tor control protocol thentor-ctrl-observercould not catch these. If connections are by-passing Tor, in other words not using Tor then Tor is obviously not aware of these connections and thereforetor-ctrl-observercannot observe such connections. - Tor auditor: For the same reason as above,
tor-ctrl-observercannot be expected to find bugs in Tor. - Tor Controller: Such as Nyx. What is the difference between
nyxandtor-ctrl-observer?nyxshows information about which Tor circuits (Bridges, Tor Entry Guards, Tor middle or exit relays) are used but not the final connection destinations. On the other hand,tor-ctrl-observershows information about final connection destinations.
Forum Discussion[edit]
https://forums.whonix.org/t/tor-ctrl-tor-control-port-command-line-tool/8074/41
See Also[edit]
Footnotes[edit]
- ↑
Starting from Whonix version
0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network. - ↑ For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.
- ↑
For those interested: Altering DNS settings on Whonix-Gateway in
/etc/resolv.confonly impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort(refer to Stream Isolation). - ↑
Whonix-Workstation's default applications are configured to use dedicated Tor
SocksPorts(see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such asnslookup- will employ the default DNS server configured in Whonix-Workstation (through/etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's/etc/resolv.confdon't influence Whonix-Workstation's DNS queries. - ↑
Traffic produced by the Tor process, which by Debian's default operates under the user
debian-tororiginating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user accountdebian-toris exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. - ↑
Tor version
0.4.5.6(with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote. - ↑
Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports such as meek lite, which resolves domains set in
url=andfront=to IP addresses or snowflake's-front.
The most watertight privacy operating system in the world.
At Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!