[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: netstat reporting destinion IP address

Hash: SHA1

On 25/11/07 02:54, Gregory Maxwell wrote:
> On 11/24/07, anonym <anonym@xxxxxxxxxxx> wrote:
> [snip]
>> Now, with this background information in mind I can go on to my actual
>> questions for those of you who have managed to read all this (sorry for
>> being so verbose): Why does this happen? Is netstat operating on a too
>> high level to detect this kernel level magic?
> Netstat is telling the truth: You have a connection opened to foohost.
>  It just so happens that there is some machinery under the hood that
> intercepts the traffic and redirects it into tor, but this doesn't
> change where the connection is actually going as far as the system is
> concerned.
> Not only is netstat 'operating on a too high level to detect this', it
> would be a bug if it reported anything else.

That was what I expected. Thanks for clearing it out!

>> Even though we still get as much anonymity as Tor offers and netstat is
>> wrong in some way I really do not want this to happen. Incognito uses
>> TorK as a control GUI to Tor, and since its "Non-Tor traffic log" uses
>> netstat and thus will log these erroneous connections, users might freak
>> out and think that Incognito is unsafe. In fact, that was what happened
>> to me. Can this be fixed?
> Yes. Don't do that.
> it would be better if you were running something that sniffed the
> network and showed the user all outbound packets that were not TOR.

That would be better but my concern is mainly with TorK, and it uses
netstat for its logs. I don't expect the average Incognito user to
monitor netstat, but they might very well find some misleading
information in Tork's logs (as they are very easily accessible through a
nice GUI and all). Well, I guess this is an issue with TorK. Hopefully
Robert Hogan (TorK's maintainer) will read this, although my problem
might be a bit too specific to justify a fix which I guess would turn
out much more complex than the current solution with netstat.

> Just looking at netstat may well miss short-lived (and especially
> connectionless) packets which are probably much more of a significant
> real threat to the user.

If I'm not mistaking, Tor circuits are long-lived enough to show up (?).
Or are you suggesting that Tor initiates other connections as some sort
of intermediate step (I'm certainly no expert on the inner workings of
Tor)? Perhaps I wansn't clear enough, but the only Internet traffic that
is allowed is made through Tor. Any way, I don't know exactly how TorK
uses netstat to generate its log (I guess it uses --continuous which
updates every second), but the entries in the log stay even though the
connection has been disconnected (and netstat stops showing them).

Connectionless packets is not a problem as only TCP is allowed to leave
the computer since UDP etc., as you pointed out, might be a real threat.
Version: GnuPG v1.4.7 (GNU/Linux)