[tor-talk] TOR and Obfsproxy packet size

Amin s asgetlostman at gmail.com
Mon Nov 30 11:30:35 UTC 2015


Hi Philipp,

> The difference is caused by the protocol headers that are wrapped around
Tor cells;
> IP, TCP, and TLS.

How many bytes does TLS take?
if we say TOR cell is 512 bytes, then 512 + 20 (TCP) + 20 (IP) = 552 and
586 - 552 = 34 bytes for TLS. is it correct?

> How did you run your test?  543 sounds like the TCP segment length and
> not like the length of the IP packet.
> Also, obfsproxy is just a framework.  Which obfuscation protocol did you
> run?  Obfs3?

I used Obfs3.
I am using wireshark . i get the same packet size when using tcpdump. In
wireshark there are 5 layers. Application,Transport,IP,Ethernet and
physical layer. (in regular TOR) for the application layer it shows 543
bytes (probably TLS is included).
Overall packet size (including all layers) is 597 bytes [543 + 20 (TCP) +
20 (IP) + 14 (Ethernet) = 597 bytes].

According to what you said at first, if 586 bytes is for (cell + TLS + TCP
+ IP), then in my case
(cell + TLS + TCP + IP) equals to 543 + 20 + 20 = 583 bytes. There is 3
bytes difference here. Why is it so?
How about Obfs3 traffic that wireshark (tcpdump) shows 565 bytes for the
application layer? [565 + 20 (TCP) + 20 (IP) = 605 bytes]

> First, Tor has static-length and variable-length cells, so it's not
> entirely fixed.  Second, what actually ends up on the wire isn't only up
> to the tor client.  It depends on TCP, which tries to fill the link MTU
> if there's enough data in the send buffer.

Do you know when TOR uses static-length cell and when variable-length cell?


More information about the tor-talk mailing list