pcap_tls_analysis
Analyze TLS handshakes, SNI values, and certificate data in PCAP files to extract security information for network forensics and penetration testing.
Instructions
Analyze TLS handshakes, SNI values, and certificate data in a PCAP. Returns sni_values, tls_versions, server_ephemeral_keys, and client_randoms. Read-only file analysis.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_path | Yes | Path to the PCAP file |
Implementation Reference
- src/tools/pcap.ts:253-288 (handler)The implementation of the `pcap_tls_analysis` tool, which uses `tshark` to extract TLS handshake details.
server.tool( "pcap_tls_analysis", "Analyze TLS handshakes, SNI values, and certificate data in a PCAP. Returns sni_values, tls_versions, server_ephemeral_keys, and client_randoms. Read-only file analysis.", { pcap_path: z.string().describe("Path to the PCAP file"), }, async ({ pcap_path }) => { requireTool("tshark"); const pcap = validatePcap(pcap_path); const sni = await runShell( `tshark -r '${pcap}' -Y 'tls.handshake.extensions_server_name' -T fields -e tls.handshake.extensions_server_name 2>/dev/null | sort -u` ); const versions = await runShell( `tshark -r '${pcap}' -Y 'tls.handshake.type == 1' -T fields -e tls.handshake.version 2>/dev/null | sort | uniq -c | sort -rn` ); const serverKeys = await runShell( `tshark -r '${pcap}' -Y 'tls.handshake.type == 12' -T fields -e tls.handshake.server_point 2>/dev/null | head -5` ); const clientRandoms = await runShell( `tshark -r '${pcap}' -Y 'tls.handshake.type == 1' -T fields -e tls.handshake.random 2>/dev/null | head -10` ); const result = { sni_values: parseLines(sni.stdout), tls_versions: parseLines(versions.stdout), server_ephemeral_keys: parseLines(serverKeys.stdout), client_randoms: parseLines(clientRandoms.stdout), }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; } );