Quiz Entry - updated: 2026.06.07
If someone captures your Tor traffic in Wireshark, what can and can't they learn?
They can see that you're connected to a Tor relay (so they know you use Tor) and that the data is fully encrypted — but not which websites you visit.
A Wireshark capture of Tor traffic shows:
- Visible connections: all traffic goes to a specific Tor node (e.g. IP
5.39.76.36on port9001). An observer can tell Tor is being used, but not the destination sites. - Encrypted data: the payload is fully encrypted with no readable content, and there are no separate DNS queries (DNS is resolved through Tor, not leaked locally).
- Missing features: the usual three-way TCP handshake (SYN/SYN-ACK/ACK) isn't visible in normal form, because the connection spans multiple nodes and each sees only part.
Conclusion of the test: the user's real IP stays hidden, packet contents are multiply encrypted and unreadable, "New Identity" gives a fresh circuit, and even a professional tool like Wireshark can't reveal which sites were visited.
Tip: The fact that DNS goes through Tor is key — a leaked DNS query is a classic way to accidentally reveal what you're browsing despite using a proxy.