Hello!
I understand that you've got a server which sending TLS-encrypted traffic to some location when it boots up, and you're looking to understand why. It sounds like this is expected traffic, not a security issue (given that you're planning to re-develop the server), correct? I should be able to hunt this down for you pretty quickly and easily, but I'd like to understand more about the problem to be sure.
I've worked with Linux servers for 15+ years, so given what you've shared so far, I would probably first look for the process which is sending the traffic and understand that before trying to analyze the traffic itself. Is this process one that you set up in the past, or one that is a complete mystery? Would I have full access to the device, to reboot or possibly run in a VM if necessary? (If not, it may be helpful to clone the device, but again, I need to understand the situation better first).
Thank you for your consideration, and I look forward to discussing your project further with you!
Best,
-Scott