Unlike conventional non-Tor encrypted traffic that comes with openly visible destination attributes such as IP addresses (both source and destination) and port number, the onion routing mechanism immanent in Tor networks manages to effectively obfuscate and hide these attributes. Therefore, logic dictates that some other attributes should be used for classifying what traffic originates from Tor, among other things.
An analysis of the entry nodes of Tor traffic with more traditional methods is almost always futile. Given that the entry guards are assigned randomly, a person who tries to hack Tor in this way should have to operate many Tor nodes to have a reasonable expectation of intercepting a targeted hidden traffic. On top of that, classifiers would be confused to a great extent if random padding is added to the travelling data. This assessment is in line with the view of the Tor project leader, Roger Dingledine.
Most prevalent approaches for traffic detection that vendors tout rely on blocking tracked down entry nodes of the Tor network. That is easier said than done, however; those approaches are not that difficult to be bypassed. Moreover, because Tor relays dynamically through