In large part you're not looking at TLS application-data with this stuff; you're monitoring internal networks and all the protocols they run, in part so you can retroactively see if exploits, once revealed, have been run. For that kind of stuff you often care a lot more about, say, SMB dissection than you do about what stupid websites people are looking at.
The longstanding existence of tools like these --- and there are "better" ones that aren't open source, and have been for decades --- is one reason that "vulnerability equities processes" don't make sense; if the DoD uses an exploit against a foreign target, it can't just reveal it a few months later without compromising sources and methods.
(That doesn't mean you should care about that problem; I'm just reporting).
The longstanding existence of tools like these --- and there are "better" ones that aren't open source, and have been for decades --- is one reason that "vulnerability equities processes" don't make sense; if the DoD uses an exploit against a foreign target, it can't just reveal it a few months later without compromising sources and methods.
(That doesn't mean you should care about that problem; I'm just reporting).