Interesting to find and block Tor malnodes: http://sla.ckers.org/forum/read.php?12,2984
& https://www.dan.me.uk/tornodes
some links: http://proxy.org/tor.shtml & via https://www.google.nl/search?q=tor+ip+list&rlz=1C1CHNQ_nlNL595NL595&oq=tor+ip+list&aqs=chrome..69i57j69i60.4413j0j7&sourceid=chrome&es_sm=122&ie=UTF-8

Check on some example node: htxp://dynamicip-176-212-13-30.pppoe.kirov.ertelecom.ru/
see: http://toolbar.netcraft.com/site_report?url=http://dynamicip-176-212-13-30.pppoe.kirov.ertelecom.ru
http://myip.ms/view/dns/307877/ns8.ertelecom.ru & http://dnscheck.pingdom.com/?domain=ertelecom.ru

Tor nodes can be determined further by the certs and validity thereof, normally one year.

Wireshark may detect these using tshark: tshark -r tor_traffic.cap -T fields -R “ssl.handshake.certificate” -e x509af.utcTime -e x509s
at.printableString - use a script to check the cert lifetime (1 year, start: today) and the structure of the cert names (more or less random).
tor port has to be added to SSL properties. info credits Kurt Knochner on Wireshark faq

polonus

Tor node check example:
% Checking IP: 100.37.110.51
%
Status: ACK
Exit-Node: NAK
% TOR-Name: Unnamed
% TOR-Onion-Port: 9002
% TOR-Directory-Port: 9031
% TOR-Flags: Fast Guard HSDir Running Stable V2Dir Valid
% TOR-Exit-Node: NAK
% TOR-Version: Tor 0.2.4.22
% TOR-Full-Version: Tor 0.2.4.22 on Linux
% TOR-Uptime: 1143018
% TOR-Bandwidth-Average-Bytes: 1572864
% TOR-Bandwidth-Burst-Bytes: 3145728
% TOR-Bandwidth-Estimated-Bytes: 1920906
% TOR-Contact:
%
mapping example: http://82.94.251.203/tor/server/all

D