Has anyone done a Wireshark capture?

I do nto have wireshark installed or running at the moment. but i am curious to know if anyone has done some packet sniffing on syncthing with wireshark?

curious to know whats in the headers, and how “covert” the communication of syncthing is.


Excluding the discovery stuff, syncing is just TLSv1.3 (or QUIC*), so you’re not going to see anything but TLS record packets + a TLS handshake, plus the usual lower layer stuff (TCP/IP). The inner protocol (behind the encryption) is BEP.

The TLS handshake doesn’t try to hide that it’s syncthing. Apart from using an identifiable port number (unless configured otherwise), the TLS handshake uses ALPN to advertise itself as talking BEP. For an active party (i.e. not a passive listener), the certificates are also visible which contain the name “syncthing”.

*QUIC is sometimes considered “TLS over UDP”, but in reality QUIC is a lot more complicated than that. It’s security properties are the same though - from the outside, you only see QUIC control information + encrypted data.


Somewhat related, I recently ran a ‘security test’ on one of my machines, and it said:

GRC Port Authority Report created on UTC: 2024-01-23 at 05:42:26

Results from scan of ports: 0-1055

1 Ports Open
0 Ports Closed

1055 Ports Stealth

1056 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 443

IIRC they said 443 was some sort of ‘web server’ - but AFAIK I’m not running anything of the sort. So I was wondering if this could be Syncthing’s doing?


1 Like


I wonder how ST would work over a network such as TOR, or any other covert type network, or meshed VPN? probably the same way, just slower?


Anything IP based should work.

1 Like