Skip to content

Reference

Handshake data

The SandboxAQ Network Analyzer can identify both complete and incomplete handshakes and extract the following data:

Data Complete Handshakes Incomplete Handshakes
Source IP
Target IP
Source Port
Target Port
Selected Ciphersuite
Client-supported Ciphersuites
Selected EC Group
Client supported Groups
Certificate and Key information
Client timestamp
Server timestamp
Server name

Handshake data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.

Supported formats and protocols

The Network Analyzer supports several types of PCAP formats, PCAP link layers, and protocols.

Details are explained in the sections that follow.

PCAP formats

The Network Analyzer supports any format that the pcap-parser supports. These formats are:

The Network Analyzer supports the following PCAP link layers:

  • LINKTYPE_NULL - Null (assuming the capturing host was little-endian)
  • LINKTYPE_LOOP - Loop (assuming the capturing host was little-endian)
  • LINKTYPE_ETHERNET - Ethernet
  • LINKTYPE_IPV4 - IPv4
  • LINKTYPE_IPV6 - IPv6
  • LINKTYPE_RAW - Raw
  • LINKTYPE_LINUX_SLL - Linux cooked capture encapsulation
  • LINKTYPE_LINUX_SLL2 - Linux cooked capture encapsulation v2

Refer to the LINKTYPE definitions for details.

Supported <= L4 packet types

The Network Analyzer supports the following packet types for layer 4 or lower:

  • Ethernet
  • Dot1q
  • IPV4 / IPv6
  • Generic Routing Encapsulation (GRE)
  • VXLAN
  • TCP / UDP

Supported L7 handshake extraction protocols

The Network Analyzer supports the following handshake extraction protocols for layer 7:

  • TLS 1.3 - Extracts client-supported ciphersuites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected ciphersuites. Refer to TLS handshake details.
  • SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 - Extracts classic cryptographic objects as in TLS 1.3, as well as any available X.509 certificates.
  • SSH 2 - Extracts host key algorithms and algorithms for client/server key exchange, encryption, and MAC. Refer to SSH handshake details.

Ciphersuite data

The Network Analyzer provides an in-depth analysis of ciphersuites and extracts the following:

  • TLS version
  • Internet Engineering Task Force (IETF) recommendation status
  • Reference to RFCs where it was defined
  • Key exchange algorithm
  • Signature algorithm
  • Symmetric cipher algorithm
  • MAC algorithm
  • Hash algorithm

Ciphersuite data can be accessed through the Web Interface and the GraphQL API. For Web Interface instructions and details, refer to Handshake fundamentals.