lot of changes on the script in past commit, create a dev branch when it is need.

from #13 (comment)

Adrelanos said:
1.
Suggestion:
* --human (default?): show a greeting message "INFO: tor-ctrl-stream subscribed to Tor event setevents-stream. As soon as streams are created, output will be shown Below. To exit, press ctrl + c."
* --machine: no additional explanations. This is to make the output easier to parse in scripts.

Not sure this all fits. I am looking for some tool to monitor where Tor is connecting to for the purpose of finding out about unwanted connections (bad for privacy or even malware).

tor-ctrl-stream as is is OK as is for its use case. It's console output should not be published such as in public forums by users since it contains their whole circuit from Tor entry guard, middle relay and exit relay.

Could you please add a warning (only shown when not using --machine) that posting this contents online could de-anonymize users?

The utility I am looking for is actually something that users can share online without risk. Not showing Tor entry/middle/exit. Only showing which IPs or onions Tor is connecting to. Then users could share this in public places, post logs without risk, report bugs about unwanted connections (privacy violations or malware). That isn't a good idea to mix into tor-ctrl-stream. A separate utility for that purpose would be cool.

Option probably gonna be -h because df (disk free) uses it also. -h should be for help, will be defined later.

1. Part one of it was made a draft, it is just an warning any way. But mode human and default have not been made yet.
2. Warnings on human about sharing private information such as streams should be done also.
3. I think this can be done with tor-ctrl-stream and with an option, do not check for circuit paths. But I need you to define better the format you want (the fields you desire in control-spec format https://gitweb.torproject.org/torspec.git/tree/control-spec.txt).

it is simple, query with GETINFO ns/id/RELAY_FINGERPRINT, but tor-ctrl-circuit is not using all its data, which just need more fields.

It is not working currently because it can't read the replies because all commands are sent, piped to networking tool (netcat/socat/telnet) then it is analyzed by tor;s controller, because of this I am having a bad time to get the ServerNonce without closing the connection, which would result on a new servernonce next time.

https://stem.torproject.org/faq.html#i-m-using-safe-cookie-authentication

Steps to reproduce:

tor-ctrl-stream

From another instance:

torsocks curl https://check.torproject.org/api/ip
curl -x socks5h://127.0.0.1:9050

Go back and see outout and finish:

650 STREAM 12947 NEWRESOLVE 0 check.torproject.org:42 SOURCE_ADDR=127.0.0.1:45916 PURPOSE=DNS_REQUEST SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 SENTRESOLVE 10656 check.torproject.org:42 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 REMAP 10656 116.202.120.181:42 SOURCE=EXIT SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 CLOSED 10656 116.202.120.181:42 REASON=DONE SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 NEW 0 116.202.120.181:443 SOURCE_ADDR=127.0.0.1:45918 PURPOSE=USER SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 SENTCONNECT 10657 116.202.120.181:443 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 REMAP 10657 116.202.120.181:443 SOURCE=EXIT SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 SUCCEEDED 10657 116.202.120.181:443 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 CLOSED 10657 116.202.120.181:443 REASON=DONE SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5

650 STREAM 12949 NEW 0 check.torproject.org:443 SOURCE_ADDR=127.0.0.1:45920 PURPOSE=USER CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 SENTCONNECT 10651 check.torproject.org:443 CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 REMAP 10651 116.202.120.181:443 SOURCE=EXIT CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 SUCCEEDED 10651 116.202.120.181:443 CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 CLOSED 10651 116.202.120.181:443 REASON=DONE CLIENT_PROTOCOL=SOCKS5


Stream: 12948, Target: 116.202.120.181:443 (116.202.120.181:443)
Circuit: 10657, Purpose: GENERAL

Stream: 12949, Target: 116.202.120.181:443 (check.torproject.org:443)
Circuit: 10651, Purpose: GENERAL

My understanding is that with torsocks, it first sends a SENTRESOLVE to resolve the hotname with tor, gets the ip and close the connection. Than it opens another connection directly to that ip.

As there is no SUCEEDED from the resolve stream, it just REMAP and CLOSED, the resolve hostname is never saved. Then it procedes to the next lines which does not contain the hostname, only the ip and is saving only the ip of course as the hostname was never cached by tor-ctrl-stream.

On the top and/or on the bottom of its output?

tor-ctrl-observer 

tor-ctrl-observer: [info]: subscribed to Tor stream events, as soon as streams are created, output will be shown below.

Good.

tor-ctrl: [notice] connecting to socket with command: nc -U /run/tor/control

Good.

attempting to connect to

[1] attempting to connect to... To what? And did it succeed? I guess so. But still a bit confusing.

stop listening with Ctrl+C

Maybe rather write
To stop listening and show a summary, please Ctrl+C.
?

User could further think, yeah, sure, with Ctrl+C I can exit this. Thanks for the tip. But instead, I could also just close the window. But that's wrong, the Ctrl+C will actually show additional information.

connecting to socket with

connecting to socket with... With what? And did it succeed? I guess so. But still a bit confusing. Similar to [1].

• ONION_CLIENT_AUTH_ADD - https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n1990
• ONION_CLIENT_AUTH_REMOVE - https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n2033
• ONION_CLIENT_AUTH_VIEW - https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n2051

It is not the same key format used inside ClientOnionAuthDir/file.auth_private, as it is in base32 and the controller requires it to be in base 64.

Read TPO Client-Auth

To generate a key, you need openssl (not libressl as it does not contains alg x25519) and basez, as it contains base32 and bas64 scripts to encode and decode.

Create certificate:

openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem

Generate base32 keys:

private key:

grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail -c 32 | base32 | tr -d "=" > /tmp/k1.prv.key.base32

public key:

openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -c 32 | base32 | tr -d "=" > /tmp/k1.pub.key.base32

Keys

Generate base64 keys:

private key:

grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail -c 32 | base64 | tr -d "=" > /tmp/k1.prv.key.base64

public key:

openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -c 32 | base64 | tr -d "=" > /tmp/k1.pub.key.base64

Convert key from base64 to base32:

private key:

base64 -d /tmp/k1.prv.key.base64 2>/dev/null | base32 | tr -d "=" > /tmp/k1.prv.key.base32

public key:

base64 -d /tmp/k1.pub.key.base64 2>/dev/null | base32 | tr -d "=" >  /tmp/k1.pub.key.base32

Convert key from base32 to base64:

private key:

printf '%s====\n' "$(cat /tmp/k1.prv.key.base32)" | base32 -d | base64 | tr -d "=" >  /tmp/k1.prv.key.base64

public key:

printf '%s====\n' "$(cat /tmp/k1.pub.key.base32)" | base32 -d | base64 | tr -d "=" >  /tmp/k1.pub.key.base64

Syntax

serviceId is the hostname without .onion.
serviceId=HSAddress

ONION_CLIENT_AUTH_ADD

serviceId x25519:privateKeyInBase64

Flags=Permanent - This client's credentials should be stored in the filesystem. If this is not set, the client's credentials are ephemeral and stored in memory.

ONION_CLIENT_AUTH_REMOVE

serviceId

ONION_CLIENT_AUTH_VIEW

[serviceId]

Tells the connected Tor to list all the stored client-side v3 client auth credentials for "HSAddress". If no "HSAddress" is provided, list all the stored client-side v3 client auth credentials.

#19

The utility I am looking for is actually something that users can share online without risk. Not showing Tor entry/middle/exit. Only showing which IPs or onions Tor is connecting to. Then users could share this in public places, post logs without risk, report bugs about unwanted connections (privacy violations or malware). That isn't a good idea to mix into tor-ctrl-stream. A separate utility for that purpose would be cool.

I think this can be done with tor-ctrl-stream and with an option, do not check for circuit paths. But I need you to define better the format you want (the fields you desire in control-spec format https://gitweb.torproject.org/torspec.git/tree/control-spec.txt).

hiding tor-ctrl-stream circuit path option

privacy concern, but more as a stability
also, it was necesary because piping to a while loop that created subshells, so I need to rewrite some parts.

Checking if Tor Browser 11.0.6 is still phoning home:

tor-ctrl-stream -s 9151 -m -z

StreamId StreamPurpose StreamTarget CircuitId CircuitPurpose
--------------------------------------------------------------------------------------------------------------
15 USER [2a04:4e42:39::201]:443-() 1  GENERAL
16 USER [2a04:4e42:39::201]:443-() 1  GENERAL
17 USER [2a04:4e42:39::201]:443-() 1  GENERAL
18 USER [2606:4700:10::6816:10d4]:443-() 1  GENERAL
19 USER [2606:4700:10::6816:10d4]:443-() 1  GENERAL
20 USER [2606:4700:10::6816:10d4]:443-() 1  GENERAL
21 USER [2606:4700:10::6816:10d4]:443-() 1  GENERAL

The first hostname for streams 15-17 should have been www(dot)https-rulesets.org and for 18-20 securedrop.org

Besides that, another problem was sharing the same circuit, the number 1. What happened to stream isolation?

Sometimes users request a feature to observe connections between Whonix-Workstation and Whonix-Gateway. But it's not really limited to Whonix. Also users that are using Tor Browser would like to check what connections Tor is actually creating. (related: #27)

In #13 (comment) a Tor Browser regression was found, Tor Browser (Firefox) phoning home to firefox.settings.services.mozilla.com:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31575

Which you then reported at:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40788

Including some potential other unwanted connections.

There might be many more such privacy violations. But these are difficult to spot when these are routed over Tor.

Therefore it would be useful to have some tool that users can run which shows everything where Tor is resolving DNS and connecting to.

• Output should be safe to copy/paste into public places such as mailing lists, forums, IRC without de-anonymizing oneself. Therefore Tor entry guard, middle relay and exit relay and even onion rendezvous relay should be omitted.
• Duplicates might often be not helpful, but sometimes helpful to see the how many there really are or guess what is causing it? Default probably best to not show duplicates?
• Simple to start monitoring by just staring 1 utility?
• Similar to tor-ctrl-stream but simpler and OK for copy/paste?
• If connecting to IPs, get the reverse DNS of the IP and add it to the script output to make it easier for the user to find out what kind of connection it is?
• Live. Show connections when they are created. Better usability than having to press another button to actually see what happened.
• Not sure if there is a way to find out which application was responsible for the traffic?

Test this option. The problem is if circuits were built long before and they won't appear with events, so use getinfo as fallback.
Save events to a file and query the right circuit line.
I think this may speed up a little bit and avoid calling the control port many times.

https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/

exec 3<>/dev/tcp/127.0.0.1/9051
printf '%s\n%s\n' "PROTOCOLINFO" "QUIT" >&3
cat <&3

benefit is not depending on downloading nc, socat, telnet.

would need to check minimal bash version.

had some issues trying to implement in the current state of the script.

This fails and the printed table becomes wrong because streams can be in the following order:

650 STREAM 14320 SUCCEEDED 10773
650 STREAM 14324 CLOSED 10775
650 STREAM 14318 CLOSED 10772
650 STREAM 14322 SENTCONNECT 10774
650 STREAM 14320 CLOSED 10773
650 STREAM 14326 SUCCEEDED 10776
650 STREAM 14322 SUCCEEDED 10774
650 STREAM 14326 CLOSED 10776
650 STREAM 14322 CLOSED 10774

The table results in a mess, it does not match the real streams, just the last closed.

tor-ctrl-stream should print based on StreamID, third field.

Will partially help with #22

You can setup tor-ctrl -w SETEVENTS STREAM > stream.log. Then later:
tor-ctrl-stream -f stream.log to beautify the output.

This create ephemeral onion services that never touch disk. It would be very helpful to facilitate the commands to be used in short.

from #13 (comment)
Adrelanos said:
Also start menu entries would be great. This is how it's done in Whonix.
* https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/libexec/gateway-shortcuts/nyx
* https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/applications/gateway-nyx.desktop
* https://github.com/Whonix/helper-scripts/blob/master/usr/libexec/helper-scripts/terminal-wrapper

I could certainly add (and most likely would) add tor-ctrl and tor-ctrl applications start menu entries in Whonix if this cannot be done in this upstream repository (preferred). But how to implement start menu entries (graphical) for a console application outside of Whonix is unclear to me since helper-scripts and therefore terminal-wrapper isn't installed by default. And replicating this functionality in "every" (this) repository seems to much to me. A dependency on helper-scripts might also be unwanted? If helper-scripts was available from packages.debian.org, that might make it an easier case? But not easy.

Yes, as adding terminal-wrapper script here would be as you said, replicating and too much. The shortcuts and .desktop are okay, but I will have to wait for an update status about this issue.

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/tor-ctrl-tor-control-port-command-line-tool/8074/48

https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n2501

Two things:

1. print source_addr on the organized table
2. option to filter source_addr, to help distinguish clients

Is it dangerous? Not sure.

tor-ctrl fails on TailsOS if letting it get the first socket because /run/tor/control, even though the permissions are the same as on debian (srw-rw----) and conf:

ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
ControlSocketsGroupWritable 1

files:

• https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/onion-grater
• https://gitlab.tails.boum.org/tails/tails/-/tree/master/config/chroot_local-includes/etc/onion-grater.d

tests:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl SIGNAL NEWNYM
nc: unix connect failed: Permission denied
tor-ctrl: nc: Connetion refused to /run/tor/control

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s /run/tor/control SIGNAL NEWNYM
nc: unix connect failed: Permission denied
tor-ctrl: nc: Connetion refused to /run/tor/control

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s /run/tor/control SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s /run/tor/control SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9051 SIGNAL NEWNYM
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

Also the torrc is owned by user and group debian-tor, so even though on /lib/systemd/system/[email protected] has --defaults-torrc and -f (ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0), it wil never read /etc/tor/torrc because it will receive permission denied because /lib/systemd/system/[email protected]/writable-etc-tor.conf has:

[Service]

# SAVECONF requires tor to be allowed to modify its own configuration
ProtectSystem=yes
ReadWriteDirectories=-/etc/tor

and /etc/apparmor.d/system_tor giver permission to tor to write to /etc/tor: /etc/tor/* w,

and running --verify-config:

tor --verify-config --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc
[redacted]
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[warn] Could not open "/etc/tor/torrc": Permission denied
[warn] Unable to open configuration file "/etc/tor/torrc".
[err] Reading config failed--see warnings above.

and on /etc/tor/torrc, the control socket set there is ControlPort 127.0.0.1:9052. Which is only connectable if run as the tor user or root:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9052 SIGNAL NEWNYM
tor-ctrl: nc: Connetion refused to 127.0.0.1:9052

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9052 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9052 GETCONF User
tor-ctrl: nc: Connetion refused to 127.0.0.1:9052

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

And even though the I couldn't find the ControlPort 127.0.0.1:9051 on any configuration file that tor starts with:

amnesia@amnesia:~/tor-ctrl$ sudo grep -E "^ControlPort [^ ]*|^ControlSocket [^ ]*" /usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc
[sudo] password for amnesia:     
/usr/share/tor/tor-service-defaults-torrc:ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
/etc/tor/torrc:ControlPort 127.0.0.1:9052

the command is filtered on port 9051 even if running as root or the tor user:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9051 SIGNAL NEWNYM
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

Tails filter commands on port 9051 (and can be run as the user amnesia), but not on port 9052 (which can only be used as the tor user or root)

Besides the filter port 9051, it does not work as expected, signal newnym does not change the circuits, but on 9052, which is not filtered, it works. Tested using:

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

sudo -u debian-tor tor-ctrl -s 9051 signal newnym

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

sudo -u debian-tor tor-ctrl -s 9052 signal newnym

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

So, I could cycle the available control sockets trying to connect to all of them, and if any connect, use it, else fail obviously.
Using multiple control ports/sockets means that every socket can be used to connect to the controller, so why not?
tor-ctrl is alreday

there are some duplicated code, source functions from a single file.

see https://github.com/adrelanos/tor-ctrl
https://forums.whonix.org/t/tor-ctrl-tor-control-port-command-line-tool/8074/7

this would facilitate a lot, you only specify the directory of the file that contains the onion services pk and it will be activated, so no need to copy contents to the command line and also facilitates if you want to setup a lot of services on the controller.

tor-ctrl -d signal NEWNYM

+ : signal NEWNYM
+ [ -n signal NEWNYM ]
+ printf %ssignal NEWNYM\n
+ sed s|^ ||
+ cmd_cli=signal NEWNYM
+ check_progs
+ prog_net=nc netcat socat telnet
+ has nc
+ _cmd=
+ return 1
+ has netcat
+ _cmd=
+ return 1
+ has socat
+ _cmd=/usr/bin/socat
+ [ -x /usr/bin/socat ]
+ socket_prog=socat
+ break
+ [ -z socat ]
+ : 0
+ [ -z  ]
+ get_socket
+ test -f /lib/systemd/system/[email protected]
+ grep ExecStart= /lib/systemd/system/[email protected]
+ sed s/ExecStart=//g
+ tor_start_command=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ printf %s\n /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ sed s/.*--defaults-torrc //
+ cut -d   -f1
+ grep --  --defaults-torrc [^ ]*
+ default_torrc=/usr/share/tor/tor-service-defaults-torrc
+ [ -n /usr/share/tor/tor-service-defaults-torrc ]
+ printf %s\n --defaults-torrc /usr/share/tor/tor-service-defaults-torrc
+ default_torrc=--defaults-torrc /usr/share/tor/tor-service-defaults-torrc
+ cut -d   -f1
+ sed s/.*-f //
+ grep --  -f [^ ]*
+ printf %s\n /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ f_torrc=/etc/tor/torrc
+ [ -n /etc/tor/torrc ]
+ printf %s\n -f /etc/tor/torrc
+ f_torrc=-f /etc/tor/torrc
+ tor --verify-config --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc
+ grep -E  Read configuration file [^ ]*| Including configuration file [^ ]*
+ awk {print $NF}
+ sed s/"//;s/"\.//
+ tor_config_files=/etc/tor/torrc
+ grep -E ^ControlPort [^ ]*|^ControlSocket [^ ]* /etc/tor/torrc
+ cut -d   -f2
+ sed s/"//g;s/unix\://
+ cut -d : -f2
+ head -n 1
+ tor_control_socket_alternative=
+ tor_control_socket=
+ [ -n  ]
+ tor_control_socket=127.0.0.1:9051
+ get_dry_run
+ [  = 1 ]
+ check_socket
+ socket_type=tcp
+ tor_control_port=9051
+ tor_control_port=9051
+ printf %d 9051
+ [ 9051 -gt 0 ]
+ [ 9051 -le 65535 ]
+ tor_control_host=127.0.0.1
+ [ 127.0.0.1 = 9051 ]
+ printf %s\n 127.0.0.1
+ tr .  
+ printf %d 127
+ [ 127 -ge 0 ]
+ [ 127 -le 255 ]
+ printf %d 0
+ [ 0 -ge 0 ]
+ [ 0 -le 255 ]
+ printf %d 0
+ [ 0 -ge 0 ]
+ [ 0 -le 255 ]
+ printf %d 1
+ [ 1 -ge 0 ]
+ [ 1 -le 255 ]
+ socket_prog_connect=socat TCP:127.0.0.1:9051 -
+ socat TCP:127.0.0.1:9051 /dev/null
+ login
+ send_cmd PROTOCOLINFO
+ printf %s\n PROTOCOLINFO
+ sleep 0
+ grep AUTH
+ socat TCP:127.0.0.1:9051 -
+ send_cmd QUIT
+ printf %s\n QUIT
+ sleep 0
+ auth=
+ printf %s\n 
+ tr , \n
+ sed s/250-AUTH METHODS=//
+ cut -d   -f1
+ auth_methods=
+ printf %s
+ grep -q AUTH METHODS=NULL
+ printf %s\n 
+ grep ^HASHEDPASSWORD$
+ hashedpassword_enabled=
+ printf %s\n 
+ tr -d \r
+ + tr -d "
sed s/.*COOKIEFILE=//
+ tor_cookie=
+ test -r 
+ [ -n  ]
+ safecookie_enabled=
+ [ -n  ]
+ socat TCP:127.0.0.1:9051+ cmd_pipe
+ send_cmd 
+ printf %s\n 
 -
+ sleep 0
+ + send_cmd signal NEWNYM
+ printf %s\n signal NEWNYM
+ sleep 0
finish
+ cat
+ [ 0 -eq 1 ]
+ send_cmd QUIT
+ printf %s\n QUIT
+ sleep 0
+ str=
+ [ 0 -eq 0 ]
+ printf %s\n 

+ grep -c ^250 
+ printf %s\n 
+ [ 0 = 3 ]
+ exit 1

It's even working. Here is the excerpt of the onion-grater debug log when using tor-ctrl with -d. (tor-ctrl -d signal NEWNYM )

(enabling onion-grater debugging)

Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): ignoring received empty (or whitespace-only) line
Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): -> signal NEWNYM
Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): <- 250 OK
Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): -> QUIT
Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): <- 250 closing connection
Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated) disconnected: client quit

But why does tor-ctrl exit 1?

I am not sure this is worth fixing. Not seeing any actual issues resulting from this.

When running tor-ctrl in Whonix-Workstation...

tor-ctrl -d signal NEWNYM

onion-grater in debug mode shows the following:

Jan 15 20:45:18 host onion-grater[1759]: 10.138.33.155:40700 (filter: 30_autogenerated): ignoring received empty (or whitespace-only) line

(enabling onion-grater debugging)

Using tor-ctrl-stream in Whonix-Gateway.

Is it expected that one has to press Enter before any output is shown?

add here

to do the same tests as here

if this is not done from the beggining, it will fail n times after it but not exit the script till it is finished, this is not desired, better have a basic check.

https://forums.whonix.org/t/tor-ctrl-tor-control-port-command-line-tool/8074/4

No more upstream indeed.

Yes, tor-ctrl could use some love. Didn’t work on it much since no one ever cared about it. So even considered deprecation.

Documentation https://www.whonix.org/wiki/Tor_Controller#tor-ctrl currently is needlessly complicated due to deficencies of the script

tor-ctrl -a /var/run/tor/control.authcookie -c "signal newnym"

    -a /var/run/tor/control.authcookie could be avoided by using Tor auth cookie authentication by default.
    -c could be the default (and then -c switch could be avoided).
    -f file does not seem important. Could be removed. And if needed, better to invent a wrapper around it.
    SLEEP_AFTER_CMD=1 - if we use sleep it means we didn’t figure out a proper event based flow.
    Tor ControlPort support should be deprecated for code simplification. Debian tor package nowadays sets up Tor ControlSocket by default. No more need to use ControlPort. Then we could remove all references to telnet and the dependency on telnet.
    I never tested SETEVENTS / long running sessions. If you can make that work, cool.

Help welcome.

• cookie option is detected by sending PROTOCOLINFO and getting the COOKIEFILE if available, if not fallback to PASSWORD.
• -c can be removed, can do that
• -f, never used it, prefer to call the scripts directly.
• SLEEP_AFTER_CMD - Investigate

ControlPort support should be deprecated for code simplification. Debian tor package nowadays sets up Tor ControlSocket by default

Done upstream and by you later.

SETEVENTS

I have this example to listen to streams https://github.com/nyxnor/tor-controller/blob/366801ee39fba1ef6bf1e401566f5ad9ffae844d/scripts/stream.sh#L35

It SETEVENTS STREAM, the -w option to wait for user to press enter. Before pressing enter of course, there would be commands run to initialize a stream:

./scripts/stream.sh

on another terminal

curl -x socks5h://127.0.0.1:9050 github.com
curl -x socks5h://127.0.0.1:9050 jqyzxhjk6psc6ul5jnfwloamhtyh7si74b4743k2qgpskwwxrzhsxmad.onion

going back to the first terminal and press enter

------------------------------------------------------------------------------------------
Stream: 458, Target: 140.82.121.4:80 (github.com:80)
Circuit: 346, Purpose: GENERAL
n. fingerprint                              address        nickname     locale
------------------------------------------------------------------------------------------
1. FINGERPRINTREDACTED relayipredacted node1 countrycoderedacted
2. FINGERPRINTREDACTED relayipredacted node2 countrycoderedacted
3. FINGERPRINTREDACTED relayipredacted node3 countrycoderedacted
------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------
Stream: 459, Target: jqyzxhjk6psc6ul5jnfwloamhtyh7si74b4743k2qgpskwwxrzhsxmad.onion:80
Circuit: 348, Purpose: HS_CLIENT_REND
n. fingerprint                              address        nickname     locale
------------------------------------------------------------------------------------------
1. FINGERPRINTREDACTED relayipredacted node1 countrycoderedacted
2. FINGERPRINTREDACTED relayipredacted node2 countrycoderedacted
3. FINGERPRINTREDACTED relayipredacted node3 countrycoderedacted
4. FINGERPRINTREDACTED relayipredacted node4 countrycoderedacted
------------------------------------------------------------------------------------------

Is it possible to use tor-ctrl also to interact with provided by the Tor Browser Bundle (TBB)?

That would be useful. Next ticket will explain why.

from #13 (comment)

Adrelanos said:
I didn't know what that IP is. Can be found on search engines (check.torproject.org) but that isn't comfortable to find out about unwanted connections. Could you please add reverse DNS as an additional field?

The case is that GETINFO stream-status just show one line per request and change at every new stream update, and that is horrible, very different than GETINFO circuit-status that dumps a lot of lines. Maybe because stream time of life is much shorter than circuits, but anyway... Removing sleep time does not solve it :(, the streams updates faster than that loop can run. So don't know yet what to do here.

About resolving dns, I don't want to send another request to tor-resolve or listening ADDRMAP as I tried here, I would prefer to not use GETINFO stream-status, the method I wish it worked was to show raw streams with SETEVENTS STREAM without closing the connecitons.