Abstract—Tor is a well-known low-latency anonymous communication system. To prevent the traffic analysis attack, Tor packs application data into equal-sized cells. However, we found that equal-sized cells at the application layer do not necessarily produce equal-sized packets at the network layer. Therefore, we introduced a packet size based attack that compromises Tor’s communication anonymity with no need of controlling Tor routers. An attacker can manipulate size of packets between a web site and an exit onion router and embeds a signal into the target traffic. An accomplice at the user side can sniff the traffic and recognize this signal. To cope with the signal distortion incurred by Tor and Internet, we developed an effective signal recovery mechanism. Our real-world experiments validate the effectiveness of our attack against Tor. Our work demonstrates the need for re-considering the issue of padding anonymous communication data into equal size.