The problem of localizing in-band wormhole tunnels in MANETs is considered. In an in-band wormhole attack, colluding attackers use a covert tunnel to create the illusion that two remote network regions are directly connected. This apparent shortcut in the topology attracts traffic which the attackers can then control. To identify the nodes participating in the attack, it is necessary to determine the path through which victims' traffic is covertly tunneled. This paper begins with binary hypothesis testing, which tests whether a suspected path is carrying tunneled traffic. The detection algorithm is presented and evaluated using synthetic voice over IP (VoIP) traffic generated in a network testbed. After that, we consider multiple hypothesis testing to find the most likely tunnel path among a large number of candidates. We present a tunnel path estimation algorithm and its numerical evaluation using Poisson traffic. A main feature of the proposed algorithms is their robustness against the presence of chaff packets (possibly introduced to avoid detection), packet loss caused by unreliable wireless links, and clock skew at different nodes.