MCPcopy Index your code
hub / github.com/FoxIO-LLC/ja4

github.com/FoxIO-LLC/ja4 @v0.18.8

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.18.8 ↗ · + Follow
242 symbols 488 edges 22 files 21 documented · 9%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

logo

JA4+™ Network Fingerprinting

JA4+ is a suite of network fingerprinting methods by FoxIO that are easy to use and easy to share. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.

For a quick explainer on JA4+ and to use as a reference during analysis see:
JA4+ Cheat Sheet

For in-depth detail, please read our blogs on how JA4+ works, why it works, and examples of what can be detected/prevented with it:
JA4+ Network Fingerprinting (JA4/S/H/L/X/SSH)
JA4T: TCP Fingerprinting (JA4T/TS/TScan)
Investigating Surfshark and NordVPN with JA4T (JA4T)

If you love JA4+, consider getting a t-shirt or hoodie:
JA4+ Shirts, Hoodies, and Stickers

Table of contents

Current methods and implementation details

Full Name Short Name Description
JA4 JA4 TLS Client Fingerprinting
JA4Server JA4S TLS Server Response / Session Fingerprinting
JA4HTTP JA4H HTTP Client Fingerprinting
JA4Latency JA4L Client to Server Latency Measurment / Light Distance
JA4LatencyServer JA4LS Server to Client Latency Measurement / Light Distance
JA4X509 JA4X X509 TLS Certificate Fingerprinting
JA4SSH JA4SSH SSH Traffic Fingerprinting
JA4TCP JA4T TCP Client Fingerprinting
JA4TCPServer JA4TS TCP Server Response Fingerprinting
JA4TCPScan JA4TScan Active TCP Fingerprint Scanner
JA4DHCP JA4D DHCP Fingerprinting
JA4DHCPv6 JA4D6 DHCPv6 Fingerprinting

The full name or short name can be used interchangeably. Additional JA4+ methods are in the works...

To understand how to read JA4+ fingerprints, see Technical Details

Implementations

This repo includes JA4+ in

Tools that support JA4+

Tool/Vendor JA4+ Support
Wireshark JA4+
Zeek JA4+
Arkime JA4+
Suricata JA4+ (under development)
GreyNoise JA4+
Hunt JA4+
Driftnet JA4+
GoLang JA4X
nzyme JA4+ (under development)
Netresec's CapLoader JA4+ (under development)
Netresec's NetworkMiner JA4+ (under development)
NGINX JA4+
F5 BIG-IP JA4+
nfdump JA4+
ntop's ntopng JA4+
ntop's nDPI JA4
Team Cymru JA4+
NetQuest JA4+
Censys JA4+
Exploit.org's Netryx JA4 and JA4H
Cloudflare JA4
Fastly JA4+ (ask for it)
MISP JA4+
OCSF JA4+
Vercel JA4
Seika JA4+
VirusTotal JA4
AWS Cloudfront JA4
ELLIO JA4+
Webscout JA4+
Rama JA4 and JA4H
Vectra JA4+
AWS WAF JA4
Tacticly JA4+
Palo Alto Networks JA4+
ngrok JA4
Vertex Synapse JA4 and JA4S
Google Cloud Armor JA4
Fortinet JA4
AppOmni JA4+
IntelliGenesis JA4+
HAProxy JA4 and JA4H plugins by OXL
SentinelOne JA4
Akamai JA4
Alibaba Cloud JA4
Huawei Cloud JA4
Google Cloud LBs JA4
eSentire JA4+
Microsoft Azure Front Door CDN JA4
Moat by Arxignis JA4+
Zscaler JA4

with more to be announced...

Examples

Application JA4+ Fingerprints
Chrome JA4=t13d1516h2_8daaf6152771_02713d6af862 (TCP)

JA4=q13d0312h3_55b375c5d22e_06cda9e17597 (QUIC)

JA4=t13d1517h2_8daaf6152771_b0da82dd1658 (pre-shared key)

JA4=t13d1517h2_8daaf6152771_b1ff8ab2d16f (no key) | | IcedID Malware Dropper | JA4H=ge11cn020000_9ed1ff1f7b03_cd8dafe26982 | | IcedID Malware | JA4=t13d201100_2b729b4bf6f3_9e7b989ebec8

JA4S=t120300_c030_5e2616a54c73 | | Sliver Malware | JA4=t13d190900_9dc949149365_97f8aa674fd9

JA4S=t130200_1301_a56c5b993250

JA4X=000000000000_4f24da86fad6_bf0f0589fc03

JA4X=000000000000_7c32fa18c13e_bf0f0589fc03 | | Cobalt Strike | JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd

JA4X=2166164053c1_2166164053c1_30d204a01551 | | SoftEther VPN | JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 (client)

JA4S=t130200_1302_a56c5b993250

JA4X=d55f458d5a6c_d55f458d5a6c_0fc8c171b6ae | | Qakbot | JA4X=2bab15409345_af684594efb4_000000000000 | | Pikabot | JA4X=1a59268f55e5_1a59268f55e5_795797892f9c | | Darkgate | JA4H=po10nn060000_cdb958d032b0 | | LummaC2 | JA4H=po11nn050000_d253db9d024b | | Evilginx | JA4=t13d191000_9dc949149365_e7c285222651 | | Reverse SSH Shell | JA4SSH=c76s76_c71s59_c0s70 | | Windows 11 | JA4T=64240_2-1-3-1-1-4_1460_8 | | Epson Printer | JA4TScan=28960_2-4-8-1-3_1460_3_1-4-8-16 | | Windows 11 | JA4D=disco0000in_61-12-60-55_1-3-6-15-31-33-43-44-46-47-119-121-249-252 | | Sony Receiver | JA4D6=solct0010nn_8-1-3-6_24-23 |

For more examples, see ja4plus-mapping.csv
For a complete database, see ja4db.com

Plugins

Wireshark
Zeek
Arkime

Binaries

JA4 binaries are built from the Rust implementation of the suite. To ensure full functionality, tshark (version 4.0.6 or later) is required. Download the latest JA4 binaries from the Releases page. The release versions for the Rust implementation follow Semantic Versioning and are marked as vX.Y.Z, unlike Wireshark plugin releases.

Release Assets

Release assets are named according to the component and platform:

  • Rust:
  • ja4-vX.Y.Z-<architecture>-<platform>.tar.gz (e.g., ja4-v0.18.5-x86_64-unknown-linux-musl.tar.gz)
  • Python:
  • ja4-python-vX.Y.Z.tar.gz (contains the full python/ directory)
  • Wireshark:
  • ja4.so.linux, ja4.so.macos, ja4.dll (attached to a release named like wireshark-vX.Y.Z)

Choose the appropriate file for your system and component.

Installing tshark

Linux

Install it using your package manager (the name of the package tshark or wireshark-cli depends on the distribution). For example, on Ubuntu:

sudo apt install tshark

macOS

  1. Download and install Wireshark (includes tshark).
  2. Add tshark to your PATH: sh sudo ln -s /Applications/Wireshark.app/Contents/MacOS/tshark /usr/local/bin/tshark

Windows

  1. Download and install Wireshark (includes tshark.exe).
  2. Locate tshark.exe (usually in C:\Program Files\Wireshark\tshark.exe).
  3. Add the folder containing tshark.exe to your system PATH:
  4. Open System Properties > Environment Variables > Edit Path.

Running JA4+

Once tshark and the JA4+ binaries are available, run JA4+ using the following command:

  • On Linux and macOS: sh ./ja4 [options] [pcap]
  • On Windows, open Command Prompt and run: cmd ja4 [options] [pcap]

For more details on running JA4+ and its advanced configurations, refer to the Rust implementation README, which provides information on its features, usage scenarios, and customization options.

Database

The official JA4+ database of fingerprints, associated applications and recommended detection logic is here: ja4db.com
This database is under very active development. Expect orders of magnitude more fingerprint combinations and data over the next few months.

A sample ja4plus-mapping.csv is also available for quick reference.

Release Process

JA4+ uses GitHub Actions to automate releases for its Rust, Python, Wireshark, and Zeek components. Releases are created by pushing a tag with a specific prefix to the repository, except for Zeek, which uses a pure semantic version (semver) tag. Release assets are named as follows:

  • Rust: ja4-vX.Y.Z-<architecture>-<platform>.tar.gz
  • Python: ja4-python-vX.Y.Z.tar.gz
  • Wireshark: ja4.so.linux, ja4.so.macos, ja4.dll (in a release named like wireshark-vX.Y.Z)

The following workflows are available:

  • Rust Release:
    Push a tag starting with rust-, e.g., rust-v0.18.5, to trigger a release of the Rust binaries. The workflow will build and upload release assets automatically.

  • Python Release:
    Push a tag starting with python-, e.g., python-v0.1.0, to trigger a release of the Python implementation. The workflow will create a tarball of the python/ directory and publish it as a release asset.

  • Wireshark Plugin Release:
    Push a tag starting with wireshark-, e.g., wireshark-v0.1.1, to trigger a release of the Wireshark plugin binaries for all supported platforms.

  • Zeek Release:
    Push a tag that is a pure semantic version (e.g., v1.2.3), with no prefix, to trigger a Zeek release. This will automatically create a release on packages.zeek.org.

How to Create a Release

  1. Ensure your changes are merged into the main branch.

  2. Create and push a tag for the component you want to release:

  3. For Rust, Python, or Wireshark, use the appropriate prefix (e.g., rust-v0.18.5, python-v0.1.0, wireshark-v0.1.1).
  4. For Zeek, use a pure semver tag (e.g., v1.2.3).

Example: sh git tag v1.2.3 git push origin v1.2.3 (For Zeek)

Or, for Rust: sh git tag rust-v0.18.5 git push origin rust-v0.18.5

  1. The corresponding GitHub Actions workflow will run

Extension points exported contracts — how you extend this code

Timestamps (Interface)
(no doc)
rust/ja4/src/time.rs

Core symbols most depended-on inside this repo

get_value_ptr
called by 50
wireshark/source/packet-ja4.c
first
called by 34
rust/ja4/src/pcap.rs
cache_update
called by 32
python/common.py
update_tree_item
called by 23
wireshark/source/packet-ja4.c
delete_keys
called by 15
python/common.py
get_cache
called by 12
python/common.py
mark_complete
called by 12
wireshark/source/packet-ja4.c
find_proto
called by 12
rust/ja4/src/pcap.rs

Shape

Function 113
Method 56
Class 53
Enum 19
Interface 1

Languages

Rust69%
Python15%
C15%

Modules by API surface

wireshark/source/packet-ja4.c36 symbols
rust/ja4/src/tls.rs31 symbols
rust/ja4/src/http.rs28 symbols
rust/ja4/src/stream.rs18 symbols
rust/ja4/src/time/udp.rs14 symbols
rust/ja4/src/pcap.rs14 symbols
rust/ja4/src/time/tcp.rs13 symbols
rust/ja4/src/ssh.rs12 symbols
python/ja4.py12 symbols
rust/ja4x/src/lib.rs10 symbols
rust/ja4/src/lib.rs10 symbols
python/common.py10 symbols

For agents

$ claude mcp add ja4 \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact