Skip to content

Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s


Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



35 Commits

Repository files navigation


Release Software License Go Report Card

sensor-d4-tls-fingerprinting is intended to be used to feed a D4 project client (It can be used in standalone though).

Main features

  • extracts TLS certificates from pcap files or network interfaces
  • fingerprints TLS client/server interactions with ja3/ja3s
  • fingerprints TLS interactions with TLSH fuzzy hashing
  • write certificates in a folder
  • export in JSON to files, or stdout


This project is currently in development and is subject to change, check the list of issues.

Compile from source


  • git
  • golang >= 1.5
  • libpcap
#apt install golang git libpcap-dev

Go get

$go get
$cd $GOPATH/

A "sensor-d4-tls-fingerprinting" compiled for your architecture should then be in $GOPATH/bin Alternatively, use make to compile arm/linux or amd64/linux

How to use

Read from pcap:

$ ./d4-tlsf-amd64l -r=file 

Read from interface (promiscious mode):

$ ./d4-tlsf-amd64l -i=interface 

Write x509 certificates to folder:

$ ./d4-tlsf-amd64l -w=folderName 

Write output json inside folder

$ ./d4-tlsf-amd64l -j=folderName