Why cannot find out Tor Browser's SSL handshake at the default local Tor socks5 proxy port?

Why cannot find out Tor Browser’s SSL handshake at the default local Tor socks5 proxy port?
I suppose traffic at the default Tor socks5 proxy port(9150) is unencrypted because unencrypted HTTP contents can be find out.
My wireshark filter is ssl.handshake on the loopback interface.
Edit:
Thank to WofWca, I use the filter of frame contains torproject && tcp.port==9150 to see the domain name.

Could you describe more concretely what you expect to see?

I’m looking at the loopback interface in Wireshark and I can see all the TLS stuff alright, with this filter (tcp.port == 9150) && (ssl.handshake). Maybe try (tcp.port == 9150) && (tls.handshake || ssl.handshake) instead?

1 Like

I want to see TBB’s update server domain name and verify if the TBB update check is actually happened.
With (tcp.port == 9150) && (ssl.handshake) and ssl.handshake show empty filter result.
With (tcp.port == 9150) && (tls.handshake || ssl.handshake) I get a message of Invalid filter: "tls.handshake" is neither a field nor a a protocol name.

Sounds like your Wireshark is pretty outdated.
Either way, try frame contains "torproject" or just tcp.port == 9150.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.