Controlling and Monitoring Tor
Note: Vidalia has been deprecated and is no longer packaged in Debian.
Arm is recommended. It is already pre-installed on Whonix-Gateway. 
To receive a new circuit, press:
To exit arm, press:
|Message / Question||Response|
|arm vs nyx?||Previously called arm. New name will be nyx. |
|Should any of the following Arm messages concern me?||No, and below is explained why not. See also FAQ entry, Should I be concerned about... ?.|
|Am I compromised? Does Arm report leaks?||Arm is conceptually not a tool to find out about serious issues such as compromise or leaks. |
|Tor is preventing system utilities like netstat and lsof from working. This means that arm can't provide you with connection information. You can change this by adding 'DisableDebuggerAttachment 0' to your torrc and restarting tor. For more information see... https://trac.torproject.org/3313||If you want to learn about the technical details, read https://trac.torproject.org/3313.|
|DisableDebuggerAttachment even when running as root.||This is a bug in arm.|
|man page (GENERAL OPTIONS and COMMAND-LINE OPTIONS)||This is a bug in arm.|
|[WARN] Socks version 71 not recognized. (Tor is not an http proxy.)||
This is caused by whonixcheck (by function check_tor_socks_port_reachability). It checks if a Tor SocksPort is reachable by trying to fetch it using curl.  It will not report anything if it worked, but would complain if it failed.
|[WARN] Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules?||This happens for example if you run "curl 192.168.0.15", because when you type "curl", by default in Whonix, you are not directly using curl, but a uwt wrapped (stream isolated) Stream Isolation curl. It would not try to directly connect to 192.168.0.15, but to connect to 192.168.0.15 through Tor and this is what Tor is mentioning. It only means, that you attempted something, that will not work that way. Deactivate the curl stream isolation wrapper or use the non-wrapped version (see Stream Isolation).|
|[NOTICE] You configured a non-loopback address '10.152.152.10:9179' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted. [1 duplicate hidden] (Or other port number or DnsPort or TransPort.)||Tor really listens on that IP/port. It is Whonix-Gateway's network interface, that is only available to Whonix-Workstations, because it is an internal network with Whonix-Workstation and because Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code).|
|[NOTICE] New control connection opened. [2 duplicates hidden] (Or more duplicates.)||This is caused by whonixcheck's Tor Bootstrap Status Test, which uses Tor's ControlPort or CPFP.|
|[NOTICE][ARM_WARN] The torrc differ from what tor's using. You can issue a sighup to reload the torrc values by pressing x. Configuration value is missing from the torrc: RunAsDaemon||Arm usability bug. |
|"192.168.0.1 UNKNOWN 1 / Guard" in circuit information||This indicates that you are connecting to the Tor network with a Tor Bridge.
If you are directly connecting to the public Tor network (without using a Tor Bridge), you should see the real IP and Nickname of the Guard instead. 
- Since #Vidalia is recommended against.
- Arm works on a different level. It is a Tor Controller. It talks to Tor using Tor's ControlPort. It is an interface to show what Tor thinks. Neither Tor nor Arm implement anything such as virus detection, compromise detection, leak detection etc. Messages by Arm are interesting and useful but usually no reason for grave concern. For leak testing, see leak tests.
UWT_DEV_PASSTHROUGH=1 curl 10.152.152.10:9100
tor-ctrl  comes with Whonix by default.
Example usage to get a new circuit, on Whonix-Gateway:
tor-ctrl -a /var/run/tor/control.authcookie -c "signal newnym"
tor-ctrl -v -a /var/run/tor/control.authcookie -c "signal newnym"
Example: Get a New Identity using Whonix-Workstation Terminal
Do this every time you want a new circuit. Run tor-ctrl (installed by default) with signal newnym.
bash -x tor-ctrl -p notrequired -c "signal newnym"
If you see at the bottom of the output.
+ sendcmd signal newnym + echo signal newnym + sleep 1 + sendcmd QUIT + echo QUIT + sleep 1 + STR='Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '\''^]'\''. 250 OK 250 OK' + vecho 'Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '\''^]'\''. 250 OK 250 OK' + '[' 0 -ge 1 ']' + echo 'Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '\''^]'\''. 250 OK 250 OK' ++ grep -c '^250 ' + '[' 2 = 3 ']' + exit 1
Then it succeeded. (exit 1 is a bug in tor-ctrl, because it doesn't understand the double 250 OK.)
For advanced users.
Welcome to Stem's interpreter prompt. This provides you with direct access to Tor's control interface. This acts like a standard python interpreter with a Tor connection available via your 'controller' variable... >>> controller.get_info('version') '0.2.5.1-alpha-dev (git-245ecfff36c0cecc)' You can also issue requests directly to Tor... >>> GETINFO version 250-version=0.2.5.1-alpha-dev (git-245ecfff36c0cecc) 250 OK For more information run '/help'. >>>
For advanced users.
A handy way to send Tor ControlPort protocol commands to Tor's ControlPort. 
Do once. Install netcat.
sudo apt-get install netcat-openbsd
On Whonix-Gateway or Whonix-Workstation. Connect to Tor's ControlPort. 
nc 127.0.0.1 9051
Example command to change your Tor circuit.
Recommended against. Vidalia is recommended against because:
- Vidalia is unmaintained (no one is working on it anymore).
- Vidalia has issues with controlling Tor, i.e. Vidalia can't stop the Tor which comes from the Debian package, which is started as user "debian-tor". It also can not edit /usr/local/etc/torrc.d/50_user.conf. Not sure if control commands such as New Identity are correctly processed (easy to find out).
- Vidalia does not understand obfuscated bridges.
- Which overall makes a pretty bad and confusing user experience. Therefore recommended against.
- However, if it is Vidalia's nice network map you're after, that will work.
Better use #Arm.
(If you want to use Vidalia anyhow, see Vidalia.)
- Or depending on if you are doing this from Whonix-Workstation only to Control Port Filter Proxy.
- This works also on Whonix-Workstation, because the anon-ws-disable-stacked-tor package has set up rinetd listening for connections on localhost and forwarding them Tor Whonix-Gateway's, where Control Port Filter Proxy is listening.
- As noted by Tor developer Roger Dingledine:
Cammy is right -- we've removed the bridge/relay/exit bundles from the download page too, since Vidalia has been unmaintained for years and pointing people to unmaintained software is dangerous. I'd love to have enough developers to do everything at once, but we don't.
Thanks to torproject.org for the arm screenshot, which is under Creative Commons Attribution 3.0 United States License.; Other screenshots of Arm; Arm project page
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)