Tunnel UDP over Tor Documentation Whonix-Gateway Security Hardening Previous page: Tunnel UDP over Tor Index page: Documentation Next page: Whonix-Gateway Security Hardening tor-ctrl-observer - Tor Connection Destination Viewer

Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.

What tor-ctrl-observer is[edit]

Ever wanted to know which information is sent by an application? tor-ctrl-observer shows connection information of applications using Tor.

Sample printout:

250-stream-status=1094 SENTCONNECT 20 firefox.settings.services.mozilla.com:443
250-stream-status=1094 SUCCEEDED 20 18.64.79.82:443

tor-ctrl-observer is especially useful in combination with Whonix because:
All traffic originating from Whonix-Workstation^™ and Whonix-Gateway^™ is routed over Tor. ^[1] ^[2] ^[3] ^[4] ^[5] ^[6] ^[7]

It operates in a secure manner by using Tor's control protocol, making visible the information that Tor internally processes and is already prepared to share with users upon request.

tor-ctrl-observer Advantages[edit]

Application-level leak testing: tor-ctrl-observer can be used to observe an application's network connections.
- For example, Tor Browser 11.0.4-11.0.6 phoning home (a regression of Firefox phoning home during startup in Tor Browser based on ESR 68) was identified and reported to The Tor Project by tor-ctrl-observer developer nyxnor.

Usage[edit]

In Whonix-Gateway^™.

1. Open a terminal.

2. Run tor-ctrl-observer.

tor-ctrl-observer

3. Terminate tor-ctrl-observer with signal SIGINT.

Press keyboard keys Ctrl + C.

What tor-ctrl-observer is not[edit]

tor-ctrl-observer does not attempt to be, is not, and cannot be a:

Network-level leak test replacement: tor-ctrl-observer only requests connection information from Tor itself. While Tor generally provides this information, if there were bugs in the Tor control protocol, tor-ctrl-observer would not detect them. Similarly, if connections bypass Tor, Tor is unaware of them, and therefore tor-ctrl-observer cannot observe such connections.
Tor auditor: For the same reason as above, tor-ctrl-observer cannot be expected to identify bugs in Tor.
Tor Controller: Unlike tools such as Nyx, nyx provides details on Tor circuits (Bridges, Tor Entry Guards, and middle or exit relays), but does not show final connection destinations. Conversely, tor-ctrl-observer displays information about final connection destinations.

Forum Discussion[edit]

Tor-ctrl-observer discussion on Whonix forums

Footnotes[edit]

↑ Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.
↑ To preserve the anonymity of a user's Whonix-Workstation activities, it is not essential to route Whonix-Gateway's own traffic through Tor. (Note: The gateway is mainly a tool that helps route traffic; it does not typically contain personal activity data.)
↑ For those interested: altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. (DNS is like the internet's phonebook - it translates website names to IP addresses.) By default, no applications on Whonix-Gateway that generate network traffic use this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).
↑ Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will use the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. (This ensures DNS lookups still go through Tor even if they use the default method.) Changes in Whonix-Gateway's /etc/resolv.conf do not influence Whonix-Workstation's DNS queries.
↑ Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor and originates from Whonix-Gateway, can access the internet directly. This is permitted because the Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. (This is necessary for Tor to establish its connections.)
↑ As of Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. (TCP is a common protocol used for stable internet connections.) For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.
↑
Tor does not depend on, nor use, a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. (That means Tor knows important addresses in advance and doesn't need to look them up.) Exceptions include:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports, such as meek lite, which resolve domains set in url= and front= to IP addresses, or snowflake's -front.

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.

[2] To preserve the anonymity of a user's Whonix-Workstation activities, it is not essential to route Whonix-Gateway's own traffic through Tor. (Note: The gateway is mainly a tool that helps route traffic; it does not typically contain personal activity data.)

[3] For those interested: altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. (DNS is like the internet's phonebook - it translates website names to IP addresses.) By default, no applications on Whonix-Gateway that generate network traffic use this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).

[4] Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will use the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. (This ensures DNS lookups still go through Tor even if they use the default method.) Changes in Whonix-Gateway's /etc/resolv.conf do not influence Whonix-Workstation's DNS queries.

[5] Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor and originates from Whonix-Gateway, can access the internet directly. This is permitted because the Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. (This is necessary for Tor to establish its connections.)

[6] As of Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. (TCP is a common protocol used for stable internet connections.) For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.

[7] Tor does not depend on, nor use, a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. (That means Tor knows important addresses in advance and doesn't need to look them up.) Exceptions include:
Proxy settings that use proxies with domain names instead of IP addresses.

Some Tor pluggable transports, such as meek lite, which resolve domains set in url= and front= to IP addresses, or snowflake's -front.

[8] Proxy settings that use proxies with domain names instead of IP addresses.

[9] Some Tor pluggable transports, such as meek lite, which resolve domains set in url= and front= to IP addresses, or snowflake's -front.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

tor-ctrl-observer - Tor Connection Destination Viewer

Contents

What tor-ctrl-observer is[edit]

tor-ctrl-observer Advantages[edit]

Usage[edit]

What tor-ctrl-observer is not[edit]

Forum Discussion[edit]

See Also[edit]

Footnotes[edit]

Navigation menu

tor-ctrl-observer - Tor Connection Destination Viewer

What tor-ctrl-observer is[edit]

tor-ctrl-observer Advantages[edit]

Usage[edit]

What tor-ctrl-observer is not[edit]

Forum Discussion[edit]

See Also[edit]

Footnotes[edit]

Navigation menu

Search