sys-whonix sends traffic outside Tor

[atlahua]

I have sys-whonix set up to use Tor bridges. However when I run the
shell command 'ss -a -r -t' I can see that some of the traffic is sent
to IP addresses other than the selected bridge.

Why is sys-whonix sending traffic outside Tor?

[cooloutac]

what is the traffic where is it going?

[cooloutac]

On Tuesday, May 9, 2017 at 10:34:12 AM UTC-4, atlahua wrote:

I did netstat they all say tor except these two

tcp 0 0 127.0.0.1:4101 0.0.0.0:* LISTEN 215/brltty

tcp 0 0 10.137.3.1:9052 0.0.0.0:* LISTEN 902/python

tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN 925/tinyproxy

all the rest are: with ports in 9100s which I assume is tor.
tcp 0 0 10.137.3.1:9181 0.0.0.0:* LISTEN 997/tor

You should also check from sysnet to see what is leaving your pc.

[cooloutac]

you can use wireshark, tcpdump, or etherape. but all are extremely vulnerable. lol

[atlahua]

____________________________________________________________________

Thanks to all of you for your feedback.
At the time I detected the issue I made the mistake not to note down the
IP address at which the traffic was send.
I cannot reproduce the problem right now and all I can see is that
sys-whonix is using one obfs bridge and a non-obfs bridge
simultaneously. Nothing else that may look suspicious.

As for checking sys-net traffic, I guess you mean sys-firewall. sys-net
should not be connected to the network. Nothing coming out though.

[cooloutac]

your network card is in sys-net. sys-firewall is the in between proxy. Its considered trusted so I wouldn't run any monitoring programs in it. better to run them in sys-net or make another proxy.