Tor Protocol (tor)

Tor is a distributed overlay network designed to anonymize low-latency TCP-based applications such as web browsing, secure shell, and instant messaging. Clients choose a path through the network and build a circuit*, in which each node (or onion router* or OR*) in the path knows its predecessor and successor, but no other nodes in the circuit. Traffic flowing down the circuit is sent in fixed-size cells*, which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream.


XXX - add a brief description of Tor history

Protocol dependencies

Example traffic


The Tor dissector is (fully functional, partially functional, not existing, ... whatever the current state is). Also add info of additional Wireshark features where appropriate, like special statistics of this protocol.

Preference Settings

(XXX add links to preference settings affecting how Tor is dissected).

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of Tor display filter fields can be found in the display filter reference

Show only the Tor based traffic:


Capture Filter

You cannot directly filter Tor protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

Capture only the Tor traffic over the default port (80):

 tcp port 80 

External links


Imported from on 2020-08-11 23:26:46 UTC