tor-ctrl-observer - Tor Connection Destination Viewer
Donate
Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.
What tor-ctrl-observer is[edit]
Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.
Sample printout:
250-stream-status=1094 SENTCONNECT 20 firefox.settings.services.mozilla.com:443 250-stream-status=1094 SUCCEEDED 20 18.64.79.82:443
tor-ctrl-observer is especially useful in combination with Whonix ™ because:
All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4] [5] [6] [7]
tor-ctrl-observer operates in sane, secure way by using Tor's control protocol to make information visible to users that Tor is internally processing and ready to share with users on request anyhow.
tor-ctrl-observer Advantages[edit]
- application level leak testing:
tor-ctrl-observercan be used to observe application's network connections.- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
(which is a regression of Firefox is phoning home during start-up in Tor Browser based on ESR 68) has been identified and bug reported to The Tor Project by tor-ctrl-observerdeveloper nyxnor.
- For example, issue Tor Browser 11.0.4-11.0.6 phoning home
Usage[edit]
In Whonix-Gateway ™.
1. Open a terminal.
2. Run tor-ctrl-observer.
tor-ctrl-observer
3. Terminate tor-ctrl-observer with signal sigint.
Press keyboard keys Ctrl + C.
What tor-ctrl-observer is not[edit]
tor-ctrl-observer does not attempt to be, is not and cannot be a:
- Network level leak tests replacement: In illustrative language, this is because
tor-ctrl-observerdoes only nicely ask Tor "please show me all the connections you are creating". It is then up to Tor to honor the request. Tor might generally do so but if there were bugs in the Tor control protocol thentor-ctrl-observercould not catch these. If connections are by-passing Tor, in other words not using Tor then Tor is obviously not aware of these connections and thereforetor-ctrl-observercannot observe such connections. - Tor auditor: For the same reason as above,
tor-ctrl-observercannot be expected to find bugs in Tor. - Tor Controller: Such as Nyx. What is the difference between
nyxandtor-ctrl-observer?nyxshows information about which Tor circuits (Bridges, Tor Entry Guards, Tor middle or exit relays) are used but not the final connection destinations. On the other hand,tor-ctrl-observershows information about final connection destinations.
Forum Discussion[edit]
https://forums.whonix.org/t/tor-ctrl-tor-control-port-command-line-tool/8074/41
See Also[edit]
Footnotes[edit]
- ↑
Since Whonix ™ version
0.2.1Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix ™ is hidden from persons or systems observing the network. - ↑ To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
- ↑
For reader interest: If DNS settings on Whonix-Gateway ™ are changed in
/etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort(see Stream Isolation). - ↑
Whonix-Workstation ™ default applications are configured to use separate Tor
SocksPorts(see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for examplenslookup- will use the default DNS server configured in Whonix-Workstation ™ (via/etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™/etc/resolv.confdoes not affect Whonix-Workstation ™ DNS requests. - ↑
Traffic generated by the Tor process itself which runs by Debian default under user
debian-tororiginating from Whonix-Gateway ™ can use the internet normally. This is because userdebian-toris exempted in Whonix-Gateway ™ Firewall, allowed to use the "normal" internet. - ↑
The Tor software (as of
0.4.5.6) (and no changed were announced at time of writing) almost exclusively uses TCP traffic. See also Tor wiki page, chapter UDP. For DNS, see next footnote. - ↑
Tor does not require, use functional (system) DNS for most functionality. IP addresses of Tor directory authorities are hardcoded in the Tor software as per Tor upstream default. Exceptions include:
- proxy settings using proxies with host names rather than IP addresses
- the Tor pluggable transport meek lite to resolve domains used in setting
url=,front=to IP addresses.
At
Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.
Whonix ™ is supported by Evolution Host DDoS Protected VPS.
ENCRYPTED SUPPORT LP,
2023
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!