TLS analysis method (for ATLS countermeasure)

This method extracts JA3 fingerprints from PCAP for TLS traffic. The results are given in CSV so that they can be easily analyzed in other tools, from Excel to Jupyter.


The report consists of three sections:

  • Summary;

    • Packets total - the number of packets in the dump;
    • Packets filtered - the number of analyzed packets;
    • ClientHello - the number of ClientHello found;
    • Fingerprints - the number of unique fingerprints.
  • Fingerprints;
    List of unique fingerprints in ATLS countermeasure loading format. The list is sorted in descending order by the number of fingerprints in the dump.

  • User-Agent Analysis;
    Additional section intended for the user. For each unique fingerprint:

    • Count, how many times the fingerprint was found in the dump;
    • MD5 Hash, for searching information in external sources;
    • Possible User-Agent, User-Agent hint.