> Date: Tue, 22 Mar 2011 15:13:33 -0400 > From: Andrew Lewman <[email protected]> > > How are you detecting ssh activity? actual protocol analysis or tcp > port 22? There are valid relays on tcp port 22 which your tor client > may connect to in the normal operation of tor. >
having <tshark> capturing ALL packets coming/going from every interface, saving everything to logfiles. Then, using <wireshark>/<tshark> to scan logs, extracting port 22 sessions. Since this port 22 traffic is encrypted, all that can be [easily] determined is that normal tcp handshaking is working based upon tcp flags in headers (ie: SYN-SYN/ACK-ACK; RST-RST/ACK-ACK) in sequential session packets. I have tried no further to determine whether that data is some <tor> protocol or actually <ssh> protocol. I simply assumed <ssh> protocol as one(*) would expect by seeing port 22. (*) one who has only used <tor> and hasn't learned the internals (yet) _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
