Tor Protocol (tor)
Tor is a distributed overlay network designed to anonymize low-latency TCP-based applications such as web browsing, secure shell, and instant messaging. Clients choose a path through the network and build a circuit, in which each node (or onion router or OR) in the path knows its predecessor and successor, but no other nodes in the circuit. Traffic flowing down the circuit is sent in fixed-size cells, which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream.
XXX - add a brief description of Tor history
The Tor dissector is (fully functional, partially functional, not existing, ... whatever the current state is). Also add info of additional Wireshark features where appropriate, like special statistics of this protocol.
(XXX add links to preference settings affecting how Tor is dissected).
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
A complete list of Tor display filter fields can be found in the display filter reference
Show only the Tor based traffic:
You cannot directly filter Tor protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.
Capture only the Tor traffic over the default port (80):
tcp port 80
https://svn.torproject.org/svn/tor/trunk/doc/spec/tor-spec.txt Tor Protocol Specification
https://svn.torproject.org/svn/tor/trunk/doc/spec/rend-spec.txt Tor Hidden Service Specification
RFC 123 The RFC title - explanation of the RFC content.