Re: [tor-talk] tor using SSH

[egf@xxxxxxxxxxxxxxxxxxx]

> Date: Tue, 22 Mar 2011 15:13:33 -0400
> From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
> 
> How are you detecting ssh activity?  actual protocol analysis or tcp
> port 22?  There are valid relays on tcp port 22 which your tor client
> may connect to in the normal operation of tor.
> 

having <tshark> capturing ALL packets coming/going from every interface,
saving everything to logfiles.  Then, using  <wireshark>/<tshark> to scan
logs, extracting port 22 sessions.  

Since this port 22 traffic is encrypted, all that can be [easily] determined 
is that normal tcp handshaking  is working based upon tcp flags in headers 
(ie: SYN-SYN/ACK-ACK; RST-RST/ACK-ACK) in sequential session packets.  

I have tried no further to determine whether that data is some <tor> protocol
or actually <ssh> protocol.  I simply assumed <ssh> protocol as one(*) would 
expect by seeing port 22.  



(*) one who has only used <tor> and hasn't learned the internals (yet)

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk