torlookup - Man Page
tor exit node lookup for IP addresses
Synopsis
| torlookup | [-H torDBfile] iplist |
Description
torlookup is a tool to check whether an IP address was a tor exit node during specific time intervals. Before using torlookup create the nfdump-specific lookup database first.
torlookup is also used to create the nfdump formatted lookup database file from a bunch of tor archive files. You do not need an account to download or build the nfdump tor database. See the section below for the building instructions.
torlookup accepts a list of IP addresses either on the command line, separated by spaces or on stdin line by line. The IP address on each line can be embedded in a string separated be spaces on the left and right, therefore it can read the piped output from other tools.
The options are as follows:
- -d directory
Use the tor archive files in directory to build the binary lookup database file. With this argument torlookup creates a new binary lookup database file.
- -w torDBfile
Name of the new lookup database file.
- -H torDBfile
Use the binary torDBfile as lookup database for the tor exit node lookups.
To specify the tor lookup database torlookup searches at the following places:
If the default nfdump(1) configuration file exists, it reads the tag tordb.path
If the environment variable NFTORDB is set, use this setting as lookup database.
The command line argument -H
If multiple locations are specified, -H takes precedence over the NFTORDB environment variable, which in turn overrides the nfdump configuration file.
Return Values
torlookup returns 0 on success and 255 otherwise.
Environment
torlookup reads the environment variable NFTORDB
Examples
The easiest way for creating or updating the binary lookup database is the use of the script updateTorDB.sh provided with all other nfdump files. The script updateTorDB.sh accepts one argument: the number of months of Tor exit node data to include in the database. This means you need to update the torDB and a regular basis, to have up to date information. Do not forget to move the lookup database to the final location.
Lookup an IP with torlookup:
% ./torlookup -H tordb_full.nf 178.218.144.18
Node: 178.218.144.18, last published: 2024-07-31 11:53:12, intervals: 7
0 first: 2022-10-25 20:16:03, last: 2022-11-21 20:55:32
1 first: 2022-12-19 23:16:38, last: 2022-12-28 18:17:01
2 first: 2023-01-08 02:04:07, last: 2023-03-25 07:13:15
3 first: 2023-03-29 05:08:45, last: 2023-09-12 17:05:01
4 first: 2023-09-18 13:11:30, last: 2023-12-05 21:19:41
5 first: 2024-01-05 03:05:32, last: 2024-03-22 21:08:22
6 first: 2024-04-24 04:47:28, last: 2024-08-01 04:09:14
torlookup returns the number of intervals, the IP was registered as exit node limited by first/last timestamps.
Pipe the output of an nfdump statistic to torlookup for tor exit node verification:
% nfdump -r nfcapd.202408011200 -s ip | torlookup -H tordb_full.nf
Implementation Notes
If you use the tordb with nfdump to list flows and mark them as tor exit nodes, the IP address as well as the flow start or flow end timestamp must fall into the appropriate tor exit node interval. In the pipe example above, torlookup does not care about timestamps.
Use nfdump with the tordb:
% nfdump -H tordb.nf -r nfcapd.2024081200 -o tor
See Also
nfdump(1) includes built-in options to annotate output with Tor exit node information. See also nfdump tags %stor, %dtor.