Skip to content


Analysis data🔗

The SandboxAQ Network Analyzer can identify both complete and incomplete TLS handshakes and extract the following data:

  • Source IP (Complete and Incomplete handshakes)
  • Target IP (Complete and Incomplete handshakes)
  • Source Port (Complete and Incomplete handshakes)
  • Target Port (Complete and Incomplete handshakes)
  • Selected Cipher Suite (Complete handshakes only)
  • Client supported Cipher suites (Complete and Incomplete handshakes)
  • Selected EC Group (Complete handshakes only)
  • Client supported Groups (Complete and Incomplete handshakes)
  • Certificate and Key information (Complete handshakes only)
  • Client timestamp (Complete and Incomplete handshakes)
  • Server timestamp (Complete handshakes only)
  • Server name (Complete and Incomplete handshakes)

The Network Analyzer also provides an in-depth analysis of ciphersuites and extracts the following:

  • TLS version
  • Internet Engineering Task Force (IETF) recommendation status
  • Reference to RFCs where it was defined
  • Key exchange algorithm
  • Signature algorithm
  • Symmetric cipher algorithm
  • MAC algorithm
  • Hash algorithm

This data can be accessed through both the Web Interface and the GraphQL API.

For more details on reports, refer to Report fundamentals.

Ciphersuites and Handshakes🔗

The Ciphersuites and Handshakes tables within a Network Analyzer report provide detailed information about the negotiation of cryptographic parameters during data transmission.

Ciphersuites table🔗

The Ciphersuites table contains a list of all ciphersuites that were selected and negotiated during data transmission. You can filter the table by two main categories:

  1. Only selected in the negotiation: This filter displays ciphersuites that were actively chosen and used during data transmission.
  2. Only recommended by IETF: You can filter ciphersuites based on recommendations provided by the IETF, ensuring compliance with industry standards.

Selecting any ciphersuite in the table redirects you to the Handshakes table, which is automatically filtered to show handshakes that are associated with the selected ciphersuite.

Handshakes table🔗

The Handshakes table presents an overview of all handshakes detected in your uploaded PCAP file. You can filter this table by any column, allowing you to focus your analysis on specific handshake attributes.


To view the Handshakes and Ciphersuite tables:

  1. Log in to the AQtive Guard Web Interface, then select Projects from the menu bar.
  2. Locate a project with an analysis created using the Network Analyzer. You may need to:
    • Use the filters at the top of the table to narrow your view.
    • Request access to a specific project if it’s not initially visible.
  3. Select the project, then navigate to the Reports tab.
  4. Select the report you wish to view, then select the Ciphersuites or Handshakes tab to view the relevant information.


The Handshake and Ciphersuite tabs are only available in a Network Analyzer report.

Supported TLS versions🔗

  • TLS 1.3: extracts client-supported cipher suites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected cipher suites.
  • The following extract classic cryptographic objects as in TLS 1.3, as well as any available X.509 certificates:
    • TLS 1.2
    • TLS 1.1
    • TLS 1.0
    • SSL 3.0