Packet dump analysis using Wireshark
This wiki page provides useful Wireshark filters and hacks to analyze packet dumps containing Tor traffic. The main purpose is to help with analyzing Tor censorship incidents. The provided information should speed up the tedious process of manually going through packet dumps to find out how censorship is being conducted.
Finding connections to the directory authorities
The following filter displays all packets going to or coming from the eight directory authorities. Sometimes, these IP addresses are blacklisted.
ip.addr == 22.214.171.124 or ip.addr == 126.96.36.199 or ip.addr == 188.8.131.52 or ip.addr == 184.108.40.206 or ip.addr == 220.127.116.11 or ip.addr == 18.104.22.168 or ip.addr == 22.214.171.124 or ip.addr == 126.96.36.199
Finding TLS client hellos
The following filter shows all TLS client hellos.
ssl.handshake.type == 1
Finding Tor-specific TLS client hellos (1/2)
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions < 0.2.3.17-beta). The filter looks for the unique cipher list.
frame contains c0:0a:c0:14:00:39:00:38:c0:0f:c0:05:00:35:c0:07:c0:09:c0:11:c0:13:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff
Finding Tor-specific TLS client hellos (2/2)
The following filter shows all frames which contain the Tor-specific TLS client hello (for versions >= 0.2.3.17-beta). The filter looks for the cipher list.
frame contains c0:0a:c0:14:00:88:00:87:00:39:00:38:c0:0f:c0:05:00:84:00:35:c0:07:c0:09:c0:11:c0:13:00:45:00:44:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:96:00:41:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff
Finding new TCP connection attempts
The following filter displays TCP SYN segments (but no SYN/ACK). That way, new connection attempts (e.g. to relays) can be identified easily.
tcp.flags.syn == 1 and tcp.flags.ack == 0