I was watching the nyx connections page, and noticed a very large number of circuits being built. Sometimes 20 , and even up to 90.
What is normal ? How can I see the processes that are requesting these circuits ? I run gajim messenger , if that matters, but I think I’ve seen this without that even running.
I was thinking that this is a big security hole, as something could keep requesting new circuits until a rouge / ‘Bad’ machine is reached in an effective place for snooping .
Welcome to the forums and thank you for your question.
This might sound a bit strange, but…
This is a good question. However, Whonix isn’t the producer of Tor. Whonix is a Linux distribution, an integration project. The developers of Tor will probably have a better answer to this.
Comparison with Tor running outside of Whonix is always a good idea.
To understand why that is, please kindly also have a look at Linux User Experience versus Commercial Operating Systems and Free Support Principle.
Related:
“Same way you would do that when using Tor outside of Whonix.”
On Whonix-Gateway: It’s difficult but that may not be surprising since this is a difficult question. As far as I know there is no easy tool to see that. By the time traffic ends up on Whonix-Gateway, the information which process the connection originated from is lost and may only be restructured/guessed by using network analyzers such as tshark / wireshark which are non-trivial to use.
Again, “not a Whonix specific problem”, this would happen on any “Tor client running on a different machine than the application” setup.
On Whonix-Workstation: Scrutinizing the traffic on Whonix-Workstation is a bit easier using the usual Linux tools but rootkits could just hide themselves from such analysis.
This may be true but is again something which would have to be solved in Tor. It’s an unresolved Tor research task as far as I know.
See this ticket which I created 7 years ago:
Research: IP discovery through Tor behind isolated network
See it that way. 7 years ago, it wasn’t easy to make sure that Tor gets used while using a general purpose operating system. That was solved. See:
What is not done indeed is providing tools for easy analysis and research.
@a_whonixer I had wondered the same thing about the number of circuits. I make a thread about it. In my situation, dozens of circuits were being made and almost immediately destroyed. My connection was not interrupted and no crashes of Tor. I only noticed it if i went into Nyx or Onion Circuits.
Since other people had the same thing happen to them, we can be pretty sure its just something on Tor’s side.
Thanks for responding.
When I saw 90 circuits I thought something is going wrong. A fundemental question on the Tor curcuit workings: Can a user process request a new circuit to be built ? If that was the case, maybe the slew of requests could be monitored or trapped in some way. I’m not comfortable with this going on. Not sure if there is a debug mode or some other way to watch what Tor itself is up to.
Already asked at Tor circuit issues
Yes, sending a NEWNYM signal to the Tor control port will make it create a new circuit.
1 Like
Great. How do I monitor these requests to see what is opening 90 circuits ?
It’s most likely that nothing is opening them manually. Tor creates new circuits automatically if the one it has attempted to use doesn’t work and the network seems to be under a lot of load.