, 

Wednesday, 27 May 2026 09:15:00 (UTC/GMT)

CapLoader 2.1.0 Released

CapLoader has been updated to version 2.1.0. The new release comes with better JA3/JA4 extraction and integration of additional threat-intel and OSINT services. We have also added support for more encapsulation protocols.

TLS Client Hello Reassembly

TLS handshakes no longer reliably fit in a single packet. Modern TLS features, like post-quantum key exchanges and Encrypted Client Hello (ECH), often expand handshake sizes across multiple TCP segments. The same trend appears in QUIC traffic, where TLS handshakes now often are too large to fit in a single UDP packet.

As a result, packet‑analysis tools that parse live traffic or PCAP files (like CapLoader) must cache partial TLS handshakes and reassemble them to recover the complete TLS ClientHello messages. NetworkMiner and FlowCarp already perform TLS handshake reassembly; CapLoader now supports it as well. This enables CapLoader to extract metadata from large TLS handshakes, including SNI hostnames, JA3 hashes and JA4 fingerprints.

The screenshot above shows CapLoader displaying information extracted from PCAP files that contain TLS and QUIC traffic with multi‑segment TLS 1.3 handshakes. The visible JA4 fingerprints for the client handshakes are:

• q13d0311h3_55b375c5d22e_5a1f323ef56d − HTTP/3 w/ ECH
• t13d1516h2_8daaf6152771_02713d6af862 − HTTP/2 w/ ECH
• t13d1517h2_8daaf6152771_b0da82dd1658 − HTTP/2 w/ ECH
• t13d1515h2_8daaf6152771_f37e75b10bcc − HTTP/2
• t13d1516h2_8daaf6152771_9b887d9acb53 − HTTP/2

All these handshakes support post-quantum key agreements with a 1216 byte X25519MLKEM768 key. The first three listed JA4 fingerprints also use ECH.

Threat Intel and OSINT

CapLoader now matches network traffic against indicators of compromise (IOCs) from Johannes Bader's open source threat intelligence platform Rösti. An alert is raised whenever the analysed traffic matches any of the following IOC types on Rösti:

• domain
• domain:port
• IP
• IP:port

When a match occurs, CapLoader raises an alert on the flow/service and includes the matching IOC type and value. Rösti aggregates IOCs from public feeds, researchers, and threat‑intel providers (including IOCs published on this blog).

We have also extended the OSINT lookup shortcuts in CapLoader to include the following websites:

• BGP.Tools (IP lookup)
• IPinfo (IP lookup)
• Netify (IP lookup)
• ScanMalware (domain, IP and ASN lookups)

Right-click a flow/service/host/alert in CapLoader and select "Lookup [domain/IP/ASN] at...", which opens the chosen OSINT site in a browser tab with info about the domain/IP/ASN.

Encapsulated Protocols

CapLoader already decapsulates GRE, VXLAN, CapWap, Teredo, GTP-U, TZSP as well as IP-in-IP.

With this release we add support for extracting traffic from the following encapsulation protocols:

• Aruba GRE encapsulated WiFi
• Geneve (RFC 8926)
• GRE in UDP (RFC 8086) to ports 4754 and 4755

Improved Protocol Detection

The precision of CapLoader's built-in port independent protocol identification has been improved and several additional protocols can now be detected, including GSocket, Hioles, Mirai, Pulsar RAT, PureRAT, SVCStealer and XenoRAT.

Posted by Erik Hjelmvik on Wednesday, 27 May 2026 09:15:00 (UTC/GMT)

Tags: #CapLoader​ #JA3​ #JA4​ #TLS​ #QUIC​ #OSINT​ #encapsulation​ #decapsulation​ #GRE​