Having a PCAP file with Tor traffic, is there a way fast enough to recognize if any of the packets are part of Tor traffic/sessions?
Some tools speak about "protocol identification via statistical analysis", but I'm wondering if there are any technical details or packet attributes to identify Tor traffic.
Incoming Tor traffic is easy to recognize because all Tor exit nodes are publicly known. That means you could search by IP of exit nodes. But this traffic is actually not really considered as Tor traffic because it already left the Tor network. It's just traffic that comes from Tor. It might not even be encrypted.
Outgoing Tor traffic is much harder, if not impossible to recognize because not all entry nodes are publicly known. You could search by IP of some entry nodes of which you know the IP, but that would not cover all Tor traffic.
I think China is the best example for recognizing/filtering outgoing Tor traffic. As far as I know, they are the only country that successfully (or at least partly successfully) blocks Tor by using protocol analysis. Because of that, Tor created special algorithms for obfuscating Tor traffic in order to get it through China's great firewall. But it's a cat and mouse game. The obfuscated traffic is also recognized and blocked after some time, and then new obfuscation algorithms are developed. That's why it's so hard to block outgoing Tor traffic.
I do not know much detail about how China's traffic analysis works. Perhaps, no one here knows for sure, but maybe someone could give a guess, although it's probably not a simple procedure.
Tor is designed to look like normal HTTPS. A Tor session looks exactly like a normal HTTPS session when you use Wireshark or similar tools because such tools rely on port number inspection or protocol specification validation and that is the main reason why intrusion detection systems and deep packet inspection fail at identifying Tor traffic.
But still there are very few tools which can recognize Tor traffic as Tor implements RFC 2246.
You will find here a full description on how to use your PCAP files in CapLoader.
Speaking about the methods, there are various of them available in the literature. You may be interested in reading for example about this algorithmic SPID method:
Many application layer protocol identification schemes used today rely on signatures or patterns that usually occur in protocols, e.g. ’BitTorrent protocol’, ’SSH-’ or ’GET / HTTP/1.1’.
A problem with looking for such static patterns is that the fingerprints need to be manually created, which means that network traffic and protocol specifications need to be studied and abstracted in order to create a reliable identification pattern
