
JA4+ is a suite of network fingerprinting methods by FoxIO that are easy to use and easy to share. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.
For a quick explainer on JA4+ and to use as a reference during analysis see:
JA4+ Cheat Sheet
For in-depth detail, please read our blogs on how JA4+ works, why it works, and examples of what can be detected/prevented with it:
JA4+ Network Fingerprinting (JA4/S/H/L/X/SSH)
JA4T: TCP Fingerprinting (JA4T/TS/TScan)
Investigating Surfshark and NordVPN with JA4T (JA4T)
If you love JA4+, consider getting a t-shirt or hoodie:
JA4+ Shirts, Hoodies, and Stickers
| Full Name | Short Name | Description |
|---|---|---|
| JA4 | JA4 | TLS Client Fingerprinting |
| JA4Server | JA4S | TLS Server Response / Session Fingerprinting |
| JA4HTTP | JA4H | HTTP Client Fingerprinting |
| JA4Latency | JA4L | Client to Server Latency Measurment / Light Distance |
| JA4LatencyServer | JA4LS | Server to Client Latency Measurement / Light Distance |
| JA4X509 | JA4X | X509 TLS Certificate Fingerprinting |
| JA4SSH | JA4SSH | SSH Traffic Fingerprinting |
| JA4TCP | JA4T | TCP Client Fingerprinting |
| JA4TCPServer | JA4TS | TCP Server Response Fingerprinting |
| JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner |
| JA4DHCP | JA4D | DHCP Fingerprinting |
| JA4DHCPv6 | JA4D6 | DHCPv6 Fingerprinting |
The full name or short name can be used interchangeably. Additional JA4+ methods are in the works...
To understand how to read JA4+ fingerprints, see Technical Details
This repo includes JA4+ in
| Tool/Vendor | JA4+ Support |
|---|---|
| Wireshark | JA4+ |
| Zeek | JA4+ |
| Arkime | JA4+ |
| Suricata | JA4+ (under development) |
| GreyNoise | JA4+ |
| Hunt | JA4+ |
| Driftnet | JA4+ |
| GoLang | JA4X |
| nzyme | JA4+ (under development) |
| Netresec's CapLoader | JA4+ (under development) |
| Netresec's NetworkMiner | JA4+ (under development) |
| NGINX | JA4+ |
| F5 BIG-IP | JA4+ |
| nfdump | JA4+ |
| ntop's ntopng | JA4+ |
| ntop's nDPI | JA4 |
| Team Cymru | JA4+ |
| NetQuest | JA4+ |
| Censys | JA4+ |
| Exploit.org's Netryx | JA4 and JA4H |
| Cloudflare | JA4 |
| Fastly | JA4+ (ask for it) |
| MISP | JA4+ |
| OCSF | JA4+ |
| Vercel | JA4 |
| Seika | JA4+ |
| VirusTotal | JA4 |
| AWS Cloudfront | JA4 |
| ELLIO | JA4+ |
| Webscout | JA4+ |
| Rama | JA4 and JA4H |
| Vectra | JA4+ |
| AWS WAF | JA4 |
| Tacticly | JA4+ |
| Palo Alto Networks | JA4+ |
| ngrok | JA4 |
| Vertex Synapse | JA4 and JA4S |
| Google Cloud Armor | JA4 |
| Fortinet | JA4 |
| AppOmni | JA4+ |
| IntelliGenesis | JA4+ |
| HAProxy | JA4 and JA4H plugins by OXL |
| SentinelOne | JA4 |
| Akamai | JA4 |
| Alibaba Cloud | JA4 |
| Huawei Cloud | JA4 |
| Google Cloud LBs | JA4 |
| eSentire | JA4+ |
| Microsoft Azure Front Door CDN | JA4 |
| Moat by Arxignis | JA4+ |
| Zscaler | JA4 |
with more to be announced...
| Application | JA4+ Fingerprints |
|---|---|
| Chrome | JA4=t13d1516h2_8daaf6152771_02713d6af862 (TCP) |
JA4=q13d0312h3_55b375c5d22e_06cda9e17597 (QUIC)
JA4=t13d1517h2_8daaf6152771_b0da82dd1658 (pre-shared key)
JA4=t13d1517h2_8daaf6152771_b1ff8ab2d16f (no key) |
| IcedID Malware Dropper | JA4H=ge11cn020000_9ed1ff1f7b03_cd8dafe26982 |
| IcedID Malware | JA4=t13d201100_2b729b4bf6f3_9e7b989ebec8
JA4S=t120300_c030_5e2616a54c73 |
| Sliver Malware | JA4=t13d190900_9dc949149365_97f8aa674fd9
JA4S=t130200_1301_a56c5b993250
JA4X=000000000000_4f24da86fad6_bf0f0589fc03
JA4X=000000000000_7c32fa18c13e_bf0f0589fc03 |
| Cobalt Strike | JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd
JA4X=2166164053c1_2166164053c1_30d204a01551 |
| SoftEther VPN | JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 (client)
JA4S=t130200_1302_a56c5b993250
JA4X=d55f458d5a6c_d55f458d5a6c_0fc8c171b6ae |
| Qakbot | JA4X=2bab15409345_af684594efb4_000000000000 |
| Pikabot | JA4X=1a59268f55e5_1a59268f55e5_795797892f9c |
| Darkgate | JA4H=po10nn060000_cdb958d032b0 |
| LummaC2 | JA4H=po11nn050000_d253db9d024b |
| Evilginx | JA4=t13d191000_9dc949149365_e7c285222651 |
| Reverse SSH Shell | JA4SSH=c76s76_c71s59_c0s70 |
| Windows 11 | JA4T=64240_2-1-3-1-1-4_1460_8 |
| Epson Printer | JA4TScan=28960_2-4-8-1-3_1460_3_1-4-8-16 |
| Windows 11 | JA4D=disco0000in_61-12-60-55_1-3-6-15-31-33-43-44-46-47-119-121-249-252 |
| Sony Receiver | JA4D6=solct0010nn_8-1-3-6_24-23 |
For more examples, see ja4plus-mapping.csv
For a complete database, see ja4db.com
JA4 binaries are built from the Rust implementation of the suite. To ensure full functionality, tshark (version 4.0.6 or later) is required. Download the latest JA4 binaries from the Releases page. The release versions for the Rust implementation follow Semantic Versioning and are marked as vX.Y.Z, unlike Wireshark plugin releases.
Release assets are named according to the component and platform:
ja4-vX.Y.Z-<architecture>-<platform>.tar.gz (e.g., ja4-v0.18.5-x86_64-unknown-linux-musl.tar.gz)ja4-python-vX.Y.Z.tar.gz (contains the full python/ directory)ja4.so.linux, ja4.so.macos, ja4.dll (attached to a release named like wireshark-vX.Y.Z)Choose the appropriate file for your system and component.
Install it using your package manager (the name of the package tshark or wireshark-cli depends on the distribution). For example, on Ubuntu:
sudo apt install tshark
tshark).tshark to your PATH:
sh
sudo ln -s /Applications/Wireshark.app/Contents/MacOS/tshark /usr/local/bin/tsharktshark.exe).tshark.exe (usually in C:\Program Files\Wireshark\tshark.exe).tshark.exe to your system PATH:Once tshark and the JA4+ binaries are available, run JA4+ using the following command:
sh
./ja4 [options] [pcap]cmd
ja4 [options] [pcap]For more details on running JA4+ and its advanced configurations, refer to the Rust implementation README, which provides information on its features, usage scenarios, and customization options.
The official JA4+ database of fingerprints, associated applications and recommended detection logic is here: ja4db.com
This database is under very active development. Expect orders of magnitude more fingerprint combinations and data over the next few months.
A sample ja4plus-mapping.csv is also available for quick reference.
JA4+ uses GitHub Actions to automate releases for its Rust, Python, Wireshark, and Zeek components. Releases are created by pushing a tag with a specific prefix to the repository, except for Zeek, which uses a pure semantic version (semver) tag. Release assets are named as follows:
ja4-vX.Y.Z-<architecture>-<platform>.tar.gzja4-python-vX.Y.Z.tar.gzja4.so.linux, ja4.so.macos, ja4.dll (in a release named like wireshark-vX.Y.Z)The following workflows are available:
Rust Release:
Push a tag starting with rust-, e.g., rust-v0.18.5, to trigger a release of the Rust binaries. The workflow will build and upload release assets automatically.
Python Release:
Push a tag starting with python-, e.g., python-v0.1.0, to trigger a release of the Python implementation. The workflow will create a tarball of the python/ directory and publish it as a release asset.
Wireshark Plugin Release:
Push a tag starting with wireshark-, e.g., wireshark-v0.1.1, to trigger a release of the Wireshark plugin binaries for all supported platforms.
Zeek Release:
Push a tag that is a pure semantic version (e.g., v1.2.3), with no prefix, to trigger a Zeek release. This will automatically create a release on packages.zeek.org.
Ensure your changes are merged into the main branch.
Create and push a tag for the component you want to release:
rust-v0.18.5, python-v0.1.0, wireshark-v0.1.1).v1.2.3).Example:
sh
git tag v1.2.3
git push origin v1.2.3
(For Zeek)
Or, for Rust:
sh
git tag rust-v0.18.5
git push origin rust-v0.18.5