AQG Network Analyzer reference↑
Network analyzer data↑
The Handshakes and Ciphersuites tables below provide details about the negotiation of cryptographic parameters during data transmission.
Handshake data↑
The AQG Network Analyzer can identify both complete and incomplete handshakes and extract the following data:
| Data | Complete Handshakes | Incomplete Handshakes |
|---|---|---|
| Source IP | ✅ | ✅ |
| Target IP | ✅ | ✅ |
| Source Port | ✅ | ✅ |
| Target Port | ✅ | ✅ |
| Selected Ciphersuite | ✅ | — |
| Client-supported Ciphersuites | ✅ | ✅ |
| Selected EC Group | ✅ | — |
| Client supported Groups | ✅ | ✅ |
| Certificate and Key information | ✅ | — |
| Client timestamp | ✅ | ✅ |
| Server timestamp | ✅ | — |
| Server name | ✅ | ✅ |
Handshake data can be accessed through the AQtive Guard UI.
You can also use the yanadump tool to dump handshake information from a PCAP file. Run:
This generates a trace file that includes all TLS handshake information in Protobuf format. This compact format saves considerable time when uploading to AQtive Guard for analysis.
Ciphersuite data↑
The AQG Network Analyzer provides an in-depth analysis of TLS ciphersuites and extracts the following:
- TLS version
- Key exchange algorithm
- Signature algorithm
- Symmetric cipher algorithm
- MAC algorithm
- Hash algorithm
PCAP formats and packet types↑
The AQG Network Analyzer supports several PCAP formats, PCAP link layers, and protocols. Refer to Getting started with PCAP upload for details on using PCAPs for analysis.
PCAP formats↑
The AQG Network Analyzer supports any format that the pcap-parser supports. These formats are:
PCAP link layers↑
The AQG Network Analyzer supports the following PCAP link layers:
LINKTYPE_NULL- Null (assuming the capturing host was little-endian)LINKTYPE_LOOP- Loop (assuming the capturing host was little-endian)LINKTYPE_ETHERNET- EthernetLINKTYPE_IPV4- IPv4LINKTYPE_IPV6- IPv6LINKTYPE_RAW- RawLINKTYPE_LINUX_SLL- Linux cooked capture encapsulationLINKTYPE_LINUX_SLL2- Linux cooked capture encapsulation v2
Refer to the LINKTYPE definitions for details.
Supported network protocols↑
The AQG Network Analyzer supports the following protocols for both PCAP analysis and yanadump live streaming.
Supported <= Layer 4 (L4) packet types↑
The AQG Network Analyzer supports the following packet types for L4 or lower:
- Ethernet
- Dot1q
- IPV4 / IPv6
- Generic Routing Encapsulation (GRE)
- VXLAN
- TCP / UDP
Supported Layer 7 (L7) handshake extraction protocols↑
The AQG Network Analyzer supports the following handshake extraction protocols for L7:
TLS 1.3- Extracts client-supported ciphersuites, elliptic curves, and signature algorithms (classic, hybrid, or PQC), along with the server’s selected ciphersuites.SSL 3.0,TLS 1.0,TLS 1.1, andTLS 1.2- Extracts classic cryptographic objects as inTLS 1.3, as well as any available X.509 certificates.
Yanadump live streaming formats and protocols↑
yanadump directly captures packets from Linux network interfaces for analyzing live network traffic, and also supports VXLAN, which AWS uses for its port mirroring capability. It can parse generic traffic at a speed of ~1Gbps/CPU GHz.
Refer to Getting started with live network traffic monitoring for details on using yanadump.