A network protocol has performance requirements. In order to address these requirements, many implementations will leak some side-channel information, indicating how a tunnel is being used. Particularly approximate packet sizes and timing can be tied to a particular use of an encrypted tunnel. Pacumen is an open-source tool which can learn what a specific application “looks like” over an encrypted tunnel and can be trained to recognize that application being used without decryption. We will go into a deep-dive about the algorithm used and how it works, as well as talk about how best to measure it’s performance and utilize it in the real world. Attendees will walk away from the talk with in-depth knowledge about how to analyze packet sizes and timing utilizing modest computational and labor resources. They can then often determine what type of traffic is likely being encrypted algorithmically as well as using the tool Pacumen.