john-althouse
commented
4 months ago Great call out! DTLS sends a normal TLS client hello packet over UDP so this is very easy to fingerprint with JA4.
I've added DTLS support to the JA4 spec here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
We'll start working on updating all the packages to add said support.
This update has no impact to existing JA4 fingerprints - it only adds support for DTLS.
Is JA4 algorithm supposed to work with DTLS traffic too? I am asking beacsue: 1) I didn't find any reference at all at DTLS in this repository 2) Wireshark doesn't calculate JA4 fingerprint for DTLS session, but nDPI does
AFAIK, it should work out out of the box, with only some minor changes to handle the DTLS version numbers