LOGBOOK

HELP

Quiz Entry - updated: 2026.06.07

If someone captures your Tor traffic in Wireshark, what can and can't they learn?

They can see that you're connected to a Tor relay (so they know you use Tor) and that the data is fully encrypted — but not which websites you visit.

A Wireshark capture of Tor traffic shows:

  • Visible connections: all traffic goes to a specific Tor node (e.g. IP 5.39.76.36 on port 9001). An observer can tell Tor is being used, but not the destination sites.
  • Encrypted data: the payload is fully encrypted with no readable content, and there are no separate DNS queries (DNS is resolved through Tor, not leaked locally).
  • Missing features: the usual three-way TCP handshake (SYN/SYN-ACK/ACK) isn't visible in normal form, because the connection spans multiple nodes and each sees only part.

Conclusion of the test: the user's real IP stays hidden, packet contents are multiply encrypted and unreadable, "New Identity" gives a fresh circuit, and even a professional tool like Wireshark can't reveal which sites were visited.

Tip: The fact that DNS goes through Tor is key — a leaked DNS query is a classic way to accidentally reveal what you're browsing despite using a proxy.

From Quiz: PRIVACY / Anonymous Surfing, Tor & Location Tracking | Updated: Jun 07, 2026