fatt

This script is designed to extract network metadata and fingerprints, including JA3 and HASSH, from packet capture files (pcap) or live network traffic.

The primary use-case is for monitoring honeypots, but it can also be utilized for other applications, such as network forensic analysis. fatt operates on Linux, macOS, and Windows. It's important to note that fatt relies on pyshark (a Python wrapper for tshark), which means its performance may not be optimal. However, this is generally not a significant concern since this tool is not intended for production environments. For more demanding use cases, you might consider using other network analysis tools like Bro/Zeek, Suricata, or Netcap. Joy is another excellent tool available for capturing and analyzing network flow data. Additionally, I am developing a Go-based version of fatt that will be faster, and its libraries can be utilized in your gopacket-based tools like packetbeat. I have also released the initial version of its gQUIC library, named QUICk.

Currently supported protocols include SSL/TLS, SSH, RDP, HTTP, and gQUIC. Upcoming additions will include IETF QUIC, MySQL, MSSQL, and more.