netstat reporting destinion IP address

anonym anonym at lavabit.com
Sun Nov 25 14:54:16 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/11/07 13:41, Robert Hogan wrote:
> On Sunday 25 November 2007 02:23:18 anonym wrote:
>> On 25/11/07 02:54, Gregory Maxwell wrote:
>>> On 11/24/07, anonym <anonym at lavabit.com> wrote:
>>>> Even though we still get as much anonymity as Tor offers and netstat is
>>>> wrong in some way I really do not want this to happen. Incognito uses
>>>> TorK as a control GUI to Tor, and since its "Non-Tor traffic log" uses
>>>> netstat and thus will log these erroneous connections, users might freak
>>>> out and think that Incognito is unsafe. In fact, that was what happened
>>>> to me. Can this be fixed?
>>> Yes. Don't do that.
>>>
>>> it would be better if you were running something that sniffed the
>>> network and showed the user all outbound packets that were not TOR.
> 
> Absolutely.The use of netstat for the gui (at the moment)  is intended to 
> alert the user to chronic non-anonmous traffic and is flagged in the gui 
> as 'Not 100% reliable'. The use-case is: OK I'm visiting this site 
> anonymously but is it generating stateful traffic I'm not necessarily 
> expecting? 
> 
> That log window has been there since the year dot and can definitely be 
> improved on. The simplest approach I can think of is a setuid libpcap-based 
> program to replace the use of netstat. The word 'setuid' rings alarm-bells 
> though and I would certainly welcome advice on how much harm such a thing 
> could cause. (Installing an rc.d launched daemon is very hard to do in a 
> (linux)  platform agnostic way, so if someone is suggesting such an approach 
> I would appreciated input on how to implement it properly).
> 
> Would libpcap capture stateless/connectionless traffic though?
> 
>> That would be better but my concern is mainly with TorK, and it uses
>> netstat for its logs. I don't expect the average Incognito user to
>> monitor netstat, but they might very well find some misleading
>> information in Tork's logs (as they are very easily accessible through a
>> nice GUI and all). Well, I guess this is an issue with TorK. Hopefully
>> Robert Hogan (TorK's maintainer) will read this, although my problem
>> might be a bit too specific to justify a fix which I guess would turn
>> out much more complex than the current solution with netstat.
>>
> 
> The 'real' solution is definitely still to be found. The information from 
> netstat  is misleading because it is using the /proc filesystem to gather 
> that's, and that's at least one level up from the packet-munging taking place 
> in netfilter (according to my simplistic understanding). It will always be 
> misleading. Maybe even the info from libpcap would be misleading. Could you 
> try out pktstat (which I learned of on #tor and uses libpcap) and see if the 
> correct info gets reported?

I've tried it now and it seems to only report the actual network
traffic. At least the "misleading" connections are gone. Great! Except
for tcp it also captures arp, icmp, udp etc.

There seems to be a name conflict so to avoid any confusion, I used this
pktstat: http://www.adaptive-enterprises.com.au/~d/software/pktstat/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHSYyXp8EswdDmSVgRAvouAJ4zJzofPH/GAFc3GzBnqKvm/GddCwCdH84A
fVpOK97RyBLi4R1GwhOnjyE=
=alyl
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list