TLS Analyzer

TLS Analyzer accepts PCAP or a text file as input. JA3 fingerprints are extracted from PCAP and additional information is displayed. Text files analysis allows you to match JA3 hash, JA3 fullstring or User-Agent. For example, you can get JA3 hash and User-Agent list by uploading JA3 fullstring. And if the User-Agent value is entered, then the search will be performed for records that have such a substring in the User-Agent.

The following checkboxes can be activated for this mechanism:

  • Interactive — an interactive HTML report is formed instead of a text one;
  • Search in JA3 fingerprint lists — add a section to the report displays the results of JA3 fingerprints checking against reputation lists;
  • Show all known User-Agents for JA3 fingerprints — add a section to the report displays all observable User-Agents for each JA3 fingerprint in the file.

The sections inside the report are presented in CSV format so it can be easily analyzed in other tools like Excel or Jupyter.

The report can be generated as a text file or as an interactive HTML page if the Interactive checkbox is set. The content of the report does not depend on the presentation form, but the interactive version has some advantages and is more convenient to use. The interactive report can be exported to an HTML page or JSON for later use outside of the PSG. Each section can be collapsed.

If a text file is fed to the input, the general appearance of the report does not change, but not all of its sections will be filled.