Possible parse problem on loopback

[sysopfb]

Not sure if loopback pcaps are even a concern but client and server could be on same system over loopback and the loopback header seems to cause the data to be incorrectly parsed using your dpkt logic because of the lack of an Ethernet header.

[curob]

This is definitely a problem. I am trying to fingerprint TLS handshakes performed between:

• VMs in VMWare Workstation that communicate via a virtual network
• A VM and the host machine via a bridged network
  In both cases, ja3 is not able to fingerprint the handshake because the packets are not Etherney. According to Wireshark, the packets are "Linux cooked capture" instead of Ethernet. The packets in question contain valid IP, TCP, and SSL data per Wireshark.