[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: netstat reporting destinion IP address
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: netstat reporting destinion IP address
- From: "Gregory Maxwell" <gmaxwell@xxxxxxxxx>
- Date: Sat, 24 Nov 2007 20:54:09 -0500
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Sat, 24 Nov 2007 20:54:18 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=LLbh2asQ+YEtHN1aR43wt7CGHDoby2n6nEKq5Z/wb9U=; b=Y/4ID7Z0YQbde31kDK/mt9GdAjFL/58P+sa3W3f/dRosNZTeNItFHMC+8cTuViLwv8gNgsB8J/sq70hIM4gb0LIW4Gbem8YxeGjH59zOZxHZv1Tt+dnaTg2zMsbnxp6w6yvF/VQd0nNdwsDixZ8Icjhq+P7mGkbMPcz/WqOOkEE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SUvAs5w5xkrTzC+xA9Eeosfz7K6qjuAcioZSxGHQL0Cq4yXUBB+uKEXDu4gVLzO5bogO7eBzjrJrDkDkk2BCaC6ynyr4u/zcNTfCA6+yN3XjY2DeGn74CSLtjKJ8/RwIn5/BjIYKQSn79gv5WKC6FG9i9K+XDTB7asq0wZY0LOc=
- In-reply-to: <47488E6C.4070902@xxxxxxxxxxx>
- References: <47488E6C.4070902@xxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On 11/24/07, anonym <anonym@xxxxxxxxxxx> wrote:
[snip]
> Now, with this background information in mind I can go on to my actual
> questions for those of you who have managed to read all this (sorry for
> being so verbose): Why does this happen? Is netstat operating on a too
> high level to detect this kernel level magic?
Netstat is telling the truth: You have a connection opened to foohost.
It just so happens that there is some machinery under the hood that
intercepts the traffic and redirects it into tor, but this doesn't
change where the connection is actually going as far as the system is
concerned.
Not only is netstat 'operating on a too high level to detect this', it
would be a bug if it reported anything else.
> Even though we still get as much anonymity as Tor offers and netstat is
> wrong in some way I really do not want this to happen. Incognito uses
> TorK as a control GUI to Tor, and since its "Non-Tor traffic log" uses
> netstat and thus will log these erroneous connections, users might freak
> out and think that Incognito is unsafe. In fact, that was what happened
> to me. Can this be fixed?
Yes. Don't do that.
it would be better if you were running something that sniffed the
network and showed the user all outbound packets that were not TOR.
Just looking at netstat may well miss short-lived (and especially
connectionless) packets which are probably much more of a significant
real threat to the user.