There's the tell-tale signs of TCP and TLSv1 use, along with port 9001 and 9030.
Port 9030 is the directory server port. The client gets the list of nodes from the directory servers, if it does not have that list stored locally. So, you will see that traffic only, if the client was started for the first time, or after a long time.
Port 9001 is the default Tor Port, but many Nodes run on port 443 (or any other port). That is configurable. So, you will only see traffic on this port, if your clients talk to a Tor node with the default port settings.
But having completed some tests - I've discovered this only worked once over 10 tests!!
The best sign for Tor traffic is this:
Look at the certificates. The Tor nodes will present a cert with a "random" name, like these:
Check the Lifetime of the cert. Tor certs are often valid for one year, starting with the current day (weak criteria).
notBefore: utcTime (0) utcTime: 12-08-14 07:51:17 (UTC)
notAfter: utcTime (0) utcTime: 13-08-14 07:51:17 (UTC)
Using tshark, you can find this information as follows:
tshark -r tor_traffic.cap -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509s at.printableString
12-08-14 09:02:40 (UTC),13-08-14 09:02:40 (UTC) www.esvo7ripgfcpkpbhl.com,www.j6l4qj5dfvjlkxya.net
12-08-14 09:14:08 (UTC),13-08-14 09:14:08 (UTC) www.voej7w7i5wqhd.com,www.nhbrobe2u5.net
12-08-14 08:08:27 (UTC),13-08-14 08:08:27 (UTC) www.fgzxrfhrgo.net,www.too3xofkwpprvxix.net
12-08-14 07:38:26 (UTC),13-08-14 07:38:26 (UTC) www.3fcvwc4udn7mwj.net,www.iwajitj5g.net
12-08-14 08:36:16 (UTC),13-08-14 08:36:16 (UTC) www.gf2afmvv3jl6dg.net,www.lvdvho3yglfu6.net
12-08-14 08:48:34 (UTC),13-08-14 08:48:34 (UTC) www.gyk2lv67szubbg4ilq.com,www.ujasp2f6.net
12-08-14 09:00:19 (UTC),13-08-14 09:00:19 (UTC) www.b3dthjkqi6py.com,www.qi5itnnxft3l.net
12-08-14 07:40:36 (UTC),13-08-14 07:40:36 (UTC) www.cwrtpgdwvfo.com,www.b2h4tpc5fxaq4l.net
12-08-14 07:45:00 (UTC),13-08-14 07:45:00 (UTC) www.swxvuwbkux5ws.com,www.vlrzxyc7lyjcjqxv.net
12-08-14 08:03:23 (UTC),13-08-14 08:03:23 (UTC) www.vxlyzz7hhbo7reiwg.com,www.tq2bi77acv.net
12-08-14 08:01:07 (UTC),13-08-14 08:01:07 (UTC) www.5syfc6b7xph5.com,www.lqr4alfcyz.net
12-08-14 07:51:17 (UTC),13-08-14 07:51:17 (UTC) www.istzu7bz6fzy2y7if.com,www.wgmyv7mbm6phnpq.net
12-08-14 08:12:22 (UTC),13-08-14 08:12:22 (UTC) www.hrz7noiicfhnnr3w3s.com,www.gixyoknsh7udrxu.net
Now, use a script to check the cert lifetime (1 year, start: today) and the structure of the cert names (more or less random).
HINT: If the Tor node runs on a port that is not dissected as SSL/TLS, you need to add the port to the SSL properties, otherwise you won't see the cert and the lifetime!
answered 14 Aug '12, 03:09
Kurt Knochner ♦
accept rate: 15%