Reference
Handshake data↑
The SandboxAQ Network Analyzer can identify both complete and incomplete handshakes and extract the following data:
Data | Complete Handshakes | Incomplete Handshakes |
---|---|---|
Source IP | ✅ | ✅ |
Target IP | ✅ | ✅ |
Source Port | ✅ | ✅ |
Target Port | ✅ | ✅ |
Selected Ciphersuite | ✅ | — |
Client-supported Ciphersuites | ✅ | ✅ |
Selected EC Group | ✅ | — |
Client supported Groups | ✅ | ✅ |
Certificate and Key information | ✅ | — |
Client timestamp | ✅ | ✅ |
Server timestamp | ✅ | — |
Server name | ✅ | ✅ |
Handshake data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.
Supported formats and protocols↑
The Network Analyzer supports several types of PCAP formats, PCAP link layers, and protocols.
Details are explained in the sections that follow.
PCAP formats↑
The Network Analyzer supports any format that the pcap-parser supports. These formats are:
PCAP link layers↑
The Network Analyzer supports the following PCAP link layers:
LINKTYPE_NULL
- Null (assuming the capturing host was little-endian)LINKTYPE_LOOP
- Loop (assuming the capturing host was little-endian)LINKTYPE_ETHERNET
- EthernetLINKTYPE_IPV4
- IPv4LINKTYPE_IPV6
- IPv6LINKTYPE_RAW
- RawLINKTYPE_LINUX_SLL
- Linux cooked capture encapsulationLINKTYPE_LINUX_SLL2
- Linux cooked capture encapsulation v2
Refer to the LINKTYPE
definitions for details.
Supported <= L4 packet types↑
The Network Analyzer supports the following packet types for layer 4 or lower:
- Ethernet
- Dot1q
- IPV4 / IPv6
- Generic Routing Encapsulation (GRE)
- VXLAN
- TCP / UDP
Supported L7 handshake extraction protocols↑
The Network Analyzer supports the following handshake extraction protocols for layer 7:
TLS 1.3
- Extracts client-supported ciphersuites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected ciphersuites. Refer to TLS handshake details.SSL 3.0
,TLS 1.0
,TLS 1.1
, andTLS 1.2
- Extracts classic cryptographic objects as inTLS 1.3
, as well as any available X.509 certificates.SSH 2
- Extracts host key algorithms and algorithms for client/server key exchange, encryption, and MAC. Refer to SSH handshake details.
Ciphersuite data↑
The Network Analyzer provides an in-depth analysis of ciphersuites and extracts the following:
- TLS version
- Internet Engineering Task Force (IETF) recommendation status
- Reference to RFCs where it was defined
- Key exchange algorithm
- Signature algorithm
- Symmetric cipher algorithm
- MAC algorithm
- Hash algorithm
Ciphersuite data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.