This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to detect TOR usage with Wireshark?

0

I use TOR inside a Virtual Machine. I run Wireshark on my Host. I want to detect TOR usage (for learning/studying) with Wireshark but don't know how. I've tried this:

https://ask.wireshark.org/questions/13590/tor-detection

but tshark output doesn't show any cert names. Are there any other ways to accomplish this task?

Edit: reply to Kurt Knochner

This is what I did:

sudo wireshark

Then I choose wan0 interface and basically start live capturing. I use Tor on my Virtual Machine and after decent amount of time I save the log to file.pcapng

Next according to your method I do:

tshark -r file.pcapng -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509s

Output:

tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
$

And that's it, no certificates found. I also converted file.pcapng to file.pcap and ran the command again without luck. What am I doing wrong?

asked 29 Nov '14, 02:56

student1111's gravatar image

student1111
11113
accept rate: 0%

edited 04 Dec '14, 07:50


One Answer:

0

but tshark output doesn't show any cert names. Are there any other ways to accomplish this task?

apparently it does work in my example, as shown in my answer to the question you mentioned.

So, you either did not capture SSL/TLS handshake traffic or there is a problem with the way you ran tshark. As you neither provided the tshark command nor the capture file, it's kind of hard/impossible to help you!

Please add the information I mentioned (tshark command, pcap file).

Regards
Kurt

answered 01 Dec '14, 17:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Question updated with details you asked for

(04 Dec '14, 07:51) student1111