wiki:doc/OONI/censorshipwiki/CensorshipDetection/PcapAnalysis

Packet dump analysis using Wireshark

This wiki page provides useful Wireshark filters and hacks to analyze packet dumps containing Tor traffic. The main purpose is to help with analyzing Tor censorship incidents. The provided information should speed up the tedious process of manually going through packet dumps to find out how censorship is being conducted.

Finding connections to the directory authorities

The following filter displays all packets going to or coming from the eight directory authorities. Sometimes, these IP addresses are blacklisted.

ip.addr == 128.31.0.39 or ip.addr == 86.59.21.38 or ip.addr == 194.109.206.212 or ip.addr == 76.73.17.194 or ip.addr == 212.112.245.170 or ip.addr == 193.23.244.244 or ip.addr == 208.83.223.34 or ip.addr == 171.25.193.9

Finding TLS client hellos

The following filter shows all TLS client hellos.

ssl.handshake.type == 1

Finding Tor-specific TLS client hellos (1/2)

The following filter shows all frames which contain the Tor-specific TLS client hello (for versions < 0.2.3.17-beta). The filter looks for the unique cipher list.

frame contains c0:0a:c0:14:00:39:00:38:c0:0f:c0:05:00:35:c0:07:c0:09:c0:11:c0:13:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff

Finding Tor-specific TLS client hellos (2/2)

The following filter shows all frames which contain the Tor-specific TLS client hello (for versions >= 0.2.3.17-beta). The filter looks for the cipher list.

frame contains c0:0a:c0:14:00:88:00:87:00:39:00:38:c0:0f:c0:05:00:84:00:35:c0:07:c0:09:c0:11:c0:13:00:45:00:44:00:33:00:32:c0:0c:c0:0e:c0:02:c0:04:00:96:00:41:00:04:00:05:00:2f:c0:08:c0:12:00:16:00:13:c0:0d:c0:03:fe:ff:00:0a:00:ff

Finding new TCP connection attempts

The following filter displays TCP SYN segments (but no SYN/ACK). That way, new connection attempts (e.g. to relays) can be identified easily.

tcp.flags.syn == 1 and tcp.flags.ack == 0
Last modified 5 years ago Last modified on Feb 5, 2013, 11:29:06 PM