A network traffic analyzer that captures and decodes cryptographic handshakes from TLS, SSH, IPsec, WireGuard, QUIC, DTLS, and more. Identifies post-quantum secure connections without decrypting payload.
stinky is a passive network sniffer that focuses exclusively on cryptographic protocol handshakes. It captures live traffic from a network interface (or reads a pcap file) and extracts security-relevant metadata — cipher suites, key exchange algorithms, certificate details, protocol versions — without touching the encrypted payload.
The primary use case is understanding what cryptographic protocols and algorithms are actually in use on a network: which connections use post-quantum key exchange, which are still on TLS 1.2, which SSH clients are negotiating weak ciphers, and which VPN tunnels are active.
Output is structured JSON, suitable for feeding into a log aggregator, alerting system, or your own analysis scripts.
| Protocol | What is extracted |
|---|---|
| TLS / HTTPS | ClientHello / ServerHello, TLS version, cipher suite, key exchange, SNI, ALPN, session ticket presence, post-quantum indicators |
| SSH | Protocol version banner, key exchange algorithm list, host key type, cipher and MAC preferences |
| WireGuard | Handshake initiation / response detection, endpoint identification |
| IPsec / IKEv2 | SA proposals, transform types, key lengths, DH group |
| QUIC | Initial packet detection, QUIC version, embedded TLS ClientHello extraction |
| DTLS | Handshake type, version, cipher suite negotiation |
stinky identifies TLS connections that use post-quantum key exchange algorithms — currently Kyber (ML-KEM), X25519Kyber768, and other hybrid schemes appearing in TLS 1.3 deployments. This lets you see, at a glance, which of your connections are already quantum-safe and which are not.