|
|
= Packet dump analysis using Wireshark =
|
|
|
This wiki page provides useful [https://www.wireshark.org/ Wireshark] filters and hacks to analyze ''packet dumps'' containing ''Tor traffic''. The main purpose is to help with analyzing Tor censorship incidents. The provided information should speed up the tedious process of manually going through packet dumps to find out how censorship is being conducted.
|
|
|
# Packet dump analysis using Wireshark
|
|
|
This wiki page provides useful [Wireshark](https://www.wireshark.org/) filters and hacks to analyze _packet dumps_ containing _Tor traffic_. The main purpose is to help with analyzing Tor censorship incidents. The provided information should speed up the tedious process of manually going through packet dumps to find out how censorship is being conducted.
|
|
|
|
|
|
== Finding connections to the directory authorities ==
|
|
|
## Finding connections to the directory authorities
|
|
|
The following filter displays all packets going to or coming from the eight directory authorities. Sometimes, these IP addresses are blacklisted.
|
|
|
{{{
|
|
|
```
|
|
|
ip.addr == 128.31.0.39 or ip.addr == 86.59.21.38 or ip.addr == 194.109.206.212 or ip.addr == 76.73.17.194 or ip.addr == 212.112.245.170 or ip.addr == 193.23.244.244 or ip.addr == 208.83.223.34 or ip.addr == 171.25.193.9
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== Finding TLS client hellos ==
|
|
|
## Finding TLS client hellos
|
|
|
The following filter shows all TLS client hellos.
|
|
|
{{{
|
|
|
```
|
|
|
ssl.handshake.type == 1
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== Finding Tor-specific TLS client hellos (1/2) ==
|
|
|
## Finding Tor-specific TLS client hellos (1/2)
|
|
|
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions < 0.2.3.17-beta). The filter looks for the unique cipher list.
|
|
|
{{{
|
|
|
```
|
|
|
frame contains c0:0a:c0:14:00:39:00:38:c0:0f:c0:05:00:35:c0:07:c0:09:c0:11:c0:13:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== Finding Tor-specific TLS client hellos (2/2) ==
|
|
|
## Finding Tor-specific TLS client hellos (2/2)
|
|
|
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions >= 0.2.3.17-beta). The filter looks for the cipher list.
|
|
|
{{{
|
|
|
```
|
|
|
frame contains c0:0a:c0:14:00:88:00:87:00:39:00:38:c0:0f:c0:05:00:84:00:35:c0:07:c0:09:c0:11:c0:13:00:45:00:44:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:96:00:41:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== Finding new TCP connection attempts ==
|
|
|
## Finding new TCP connection attempts
|
|
|
The following filter displays TCP SYN segments (but no SYN/ACK). That way, new connection attempts (e.g. to relays) can be identified easily.
|
|
|
{{{
|
|
|
```
|
|
|
tcp.flags.syn == 1 and tcp.flags.ack == 0
|
|
|
}}} |
|
|
\ No newline at end of file |
|
|
``` |
|
|
\ No newline at end of file |