Сигнатурный анализ: TLS

Signature format: SSLVersion,Cipher,SSLExtension,EllipticCurve,EllipticCurvePointFormat

Fingerprint sample: 769,49172-49171-53-47-49162-49161-56-50-10-19-5-4,0-5-10-11-65281,23-24-25,0

We use tshark output field tls_handshake_tls_handshake_type to detect client hello message (equals to 1)
SSLVersion:tls_handshake_tls_handshake_version (0x301 for TLS1.2) Cipher:tls_handshake_ciphersuites_tls_handshake_ciphersuite SSLExtension:text_tls_handshake_extension_type EllipticCurve:tls_handshake_extensions_supported_groups_tls_handshake_extensions_supported_group EllipticCurvePointFormat:tls_handshake_extensions_ec_point_formats_tls_handshake_extensions_ec_point_format

Let's calculate sample TLS client hello JA3 MD5-hash from our pcap: 771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10,5-10-11-35-13-65281-18,29-23-24-25,0
Resulting MD5 hash is 1f24dbdea9cbd448a034e5d87c14168f
Search this on ja3er.com:

Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 (count: 1, last seen: 2019-09-29 01:08:29)