I'm trying to track down outdated cryptographic protocols and weak cipher suites still being used. I want to put this into a report that list the source and destination ip addresses, the protocol being used, and the cipher suites being used. The problem I'm running into is that both the protocol and the cipher suite get put into the same meta key (crypto). I need one or the other (I think) to go into a different key so I can have them both in the same row of the report. Am I overthinking this or missing something really simple here? Any help would be greatly appreciated!
I also want to understand this. I disabled erroneous packet parsers and still see this duplicate behavior. I want the protocol and cipher suite separate, for us it is critical for understanding whether we have encrypted streams using ECDHE that an out of band decryption solution cannot inspect.