This wiki page provides useful [https://www.wireshark.org/ Wireshark] filters and hacks to analyze ''packet dumps'' containing ''Tor traffic''. The main purpose is to help with analyzing Tor censorship incidents. The provided information should speed up the tedious process of manually going through packet dumps to find out how censorship is being conducted.
== Finding connections to the directory authorities ==
The following filter displays all packets going to or coming from the eight directory authorities. Sometimes, these IP addresses are blacklisted.
{{{
ip.addr == 128.31.0.39 or ip.addr == 86.59.21.38 or ip.addr == 194.109.206.212 or ip.addr == 76.73.17.194 or ip.addr == 212.112.245.170 or ip.addr == 193.23.244.244 or ip.addr == 208.83.223.34 or ip.addr == 171.25.193.9
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions < 0.2.3.17-beta). The filter looks for the unique cipher list.
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions >= 0.2.3.17-beta). The filter looks for the cipher list.