Mint 8 (Ubuntu 9.10, Karmic Koala), FF 3.5.8 with noscript, betterprivacy, ghostery, torbutton

Complete newbie regarding wireshark or netactview but I was advised to try one of these to determine if a Firefox add-on was using Tor.

Any suggestions or assistance appreciated.

Basically you would use it to see when you requested a page if the request was going out through tor or if the request was going out to the website in general.

What I do when using Tor is to configure my firewall so that only Tor is allowed to start outbound connections. That way I don't have doubts — if I'm not using Tor I simply won't be able to surf.

Yes, I understand that in general, but specifically, if it is possible to describe or give an example, what would the packet information look like when going out through Tor and not?

As is common with newbies, we sometime ask a question wanting a simple answer where really what is needed is for one to hit the textbooks, as it were. If this is the case, I respect that; just let me know. The manual for wireshark is frankly daunting! And I can not find any example specific to Tor. I have a feeling that if I want to use wireshark properly, I am going to have to go through some preliminary stages of learning first. I was kind of hoping this might be an exception and I could use wireshark without understanding the totality.

This is an intriguing idea? And it sounds suited to my simple mind, but, not having used a firewall in ages (since Windows) and having had a look at the one bundled with Mint (Ubuntu), Gufw, I am going to need help to configure it to do as you suggest.

Are you familiar with Gufw or should I post specific questions for each option? Example: Use the new rule advanced tab? Choose allow TCP. What IP and port to put in the from and to fields? 127.0.0.1 8118 must be one of those. . .

Well, it depends on where exactly you have Tor and Privoxy running. If it's running on the same host you're using to surf, then all you need to do is find out what user Tor is running as, then tell your firewall to only allow that user to start outbound connections. No need to use any port numbers at all. For example, a command like this would take care of it:It basically says that if a packet exiting through eth0 wasn't generated by a program running as the user Tor runs as (tor-user in this example) it should be sent to REJECT. You could slap a LOG rule there too if you wanted, in order to know exactly when you would have otherwise been leaking DNS and/or unintentionally doing stuff outside the Tor network. When you're done using Tor, execute the command again with a -D instead of an -I to delete the rule and you're back to normal.

1 members found this post helpful.

In this case it's actually something really really easy to check with say tcpdump, simply verify if the connection is going directly to the website in question on port 80, if it's not and its connecting out to some random host on the net in a port range applicable to tor, it's using tor.

Wireshark, tcpdump, etc are all useful tools but sometimes it's easier to use them in a simple way than in complex way

Edit: Win32 brings up a very elegant solution that appeals to me personally since it will prevent accidents from happening if an app doesn't get restarted at boot up (well, excluding iptables of course.)