AQG Network Analyzer reference↑
Network analyzer data↑
The Handshakes and Ciphersuites tables below provide details about the negotiation of cryptographic parameters during data transmission.
Handshake data↑
The AQG Network Analyzer can identify both complete and incomplete handshakes and extract the following data:
| Data | Complete Handshakes | Incomplete Handshakes |
|---|---|---|
| Source IP | ✅ | ✅ |
| Target IP | ✅ | ✅ |
| Source Port | ✅ | ✅ |
| Target Port | ✅ | ✅ |
| Selected Ciphersuite | ✅ | — |
| Client-supported Ciphersuites | ✅ | ✅ |
| Selected EC Group | ✅ | — |
| Client supported Groups | ✅ | ✅ |
| Certificate and Key information | ✅ | — |
| Client timestamp | ✅ | ✅ |
| Server timestamp | ✅ | — |
| Server name | ✅ | ✅ |
Handshake data can be accessed through the Web Interface and the GraphQL API.
You can also use the yanadump tool to dump handshake information from a PCAP file. Run:
This generates a trace file that includes all TLS handshake information in Protobuf format. This compact format saves considerable time when uploading to AQtive Guard for analysis.
Ciphersuite data↑
The AQG Network Analyzer provides an in-depth analysis of TLS ciphersuites and extracts the following:
- TLS version
- Key exchange algorithm
- Signature algorithm
- Symmetric cipher algorithm
- MAC algorithm
- Hash algorithm
Ciphersuite data can be accessed through the Web Interface and the GraphQL API.
PCAP formats and packet types↑
The AQG Network Analyzer supports several PCAP formats, PCAP link layers, and protocols. Refer to Getting started with PCAP upload for details on using PCAPs for analysis.
PCAP formats↑
The AQG Network Analyzer supports any format that the pcap-parser supports. These formats are:
PCAP link layers↑
The AQG Network Analyzer supports the following PCAP link layers:
LINKTYPE_NULL- Null (assuming the capturing host was little-endian)LINKTYPE_LOOP- Loop (assuming the capturing host was little-endian)LINKTYPE_ETHERNET- EthernetLINKTYPE_IPV4- IPv4LINKTYPE_IPV6- IPv6LINKTYPE_RAW- RawLINKTYPE_LINUX_SLL- Linux cooked capture encapsulationLINKTYPE_LINUX_SLL2- Linux cooked capture encapsulation v2
Refer to the LINKTYPE definitions for details.
Supported <= L4 packet types↑
The AQG Network Analyzer supports the following packet types for layer 4 or lower:
- Ethernet
- Dot1q
- IPV4 / IPv6
- Generic Routing Encapsulation (GRE)
- VXLAN
- TCP / UDP
Supported L7 handshake extraction protocols↑
The AQG Network Analyzer supports the following handshake extraction protocols for layer 7:
TLS 1.3- Extracts client-supported ciphersuites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected ciphersuites.SSL 3.0,TLS 1.0,TLS 1.1, andTLS 1.2- Extracts classic cryptographic objects as inTLS 1.3, as well as any available X.509 certificates.
Yanadump live streaming formats and protocols↑
yanadump can directly capture packets from a Linux network interface for analyzing live network traffic. For a list of available L4 protocols, refer to the previous section.
yanadump also supports VXLAN, which AWS uses for its port mirroring capability. It can parse generic traffic at a speed of ~1Gbps/CPU GHz.
Refer to Getting started with live network traffic monitoring for details on using yanadump.