Network Analyzer reference

Network Analyzer data

The Handshakes and Ciphersuites tables below provide details about the negotiation of cryptographic parameters during data transmission.

Handshake data

The SandboxAQ Network Analyzer can identify both complete and incomplete handshakes and extract the following data:

Data	Complete Handshakes	Incomplete Handshakes
Source IP	✅	✅
Target IP	✅	✅
Source Port	✅	✅
Target Port	✅	✅
Selected Ciphersuite	✅	—
Client-supported Ciphersuites	✅	✅
Selected EC Group	✅	—
Client supported Groups	✅	✅
Certificate and Key information	✅	—
Client timestamp	✅	✅
Server timestamp	✅	—
Server name	✅	✅

Handshake data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.

You can also use the yanadump tool to dump handshake information from a PCAP file. Run:

$ yanadump -f /path/to/file.pcap -o /path/to/out.cst

This generates a trace file that includes all TLS/SSH handshake information in one line per detected handshake. This compact format saves considerable time when uploading to AQtive Guard for analysis.

Ciphersuite data

The Network Analyzer provides an in-depth analysis of TLS ciphersuites and extracts the following:

• TLS version
• Internet Engineering Task Force (IETF) recommendation status
• Reference to RFCs where it was defined
• Key exchange algorithm
• Signature algorithm
• Symmetric cipher algorithm
• MAC algorithm
• Hash algorithm

Ciphersuite data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.

PCAP formats and packet types

The Network Analyzer supports several PCAP formats, PCAP link layers, and protocols. Refer to Getting started with PCAP upload for details on using PCAPs for analysis.

PCAP formats

The Network Analyzer supports any format that the pcap-parser supports. These formats are:

• The original PCAP
• PcapNG
• “Modified” PCAP

PCAP link layers

The Network Analyzer supports the following PCAP link layers:

• LINKTYPE_NULL - Null (assuming the capturing host was little-endian)
• LINKTYPE_LOOP - Loop (assuming the capturing host was little-endian)
• LINKTYPE_ETHERNET - Ethernet
• LINKTYPE_IPV4 - IPv4
• LINKTYPE_IPV6 - IPv6
• LINKTYPE_RAW - Raw
• LINKTYPE_LINUX_SLL - Linux cooked capture encapsulation
• LINKTYPE_LINUX_SLL2 - Linux cooked capture encapsulation v2

Refer to the LINKTYPE definitions for details.

Supported <= L4 packet types

The Network Analyzer supports the following packet types for layer 4 or lower:

• Ethernet
• Dot1q
• IPV4 / IPv6
• Generic Routing Encapsulation (GRE)
• VXLAN
• TCP / UDP

Supported L7 handshake extraction protocols

The Network Analyzer supports the following handshake extraction protocols for layer 7:

• TLS 1.3 - Extracts client-supported ciphersuites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected ciphersuites. Refer to TLS handshake details.
• SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 - Extracts classic cryptographic objects as in TLS 1.3, as well as any available X.509 certificates.
• SSH 2 - Extracts host key algorithms and algorithms for client/server key exchange, encryption, and MAC. Refer to SSH handshake details.

Yanadump live streaming formats and protocols

yanadump can directly capture packets from a Linux network interface for analyzing live network traffic. It supports the following <= L4 protocols:

• Ethernet
• 802.1Q (VLANs)
• Generic Routing Encapsulation (GRE)
• IPV4 / IPv6

yanadump also supports VXLAN, which AWS uses for its port mirroring capability. It can parse generic traffic at a speed of ~1Gbps/CPU GHz.

Refer to Getting started with live network traffic monitoring for details on using yanadump.