owah
commented
2 weeks ago You can run the ja4 reference implementation to get the ja4x:
~/tmp$ ../ja4plus/ja4 ssl-ja4x.pcap
- stream: 0
transport: tcp
src: 54.221.166.250
dst: 162.219.2.166
src_port: 56323
dst_port: 443
tls_server_name: www.lilawelt.net
ja4: t12d130600_2d7513195f68_021165082e1c
ja4s: t120300_c02f_d76140a3aa39
tls_certs:
- x509:
- ja4x: 7d5dbb3783b4_ade77d8ed017_4656246d94a2
issuerCountryName: IL
issuerOrganizationName: StartCom Ltd.
issuerOrganizationalUnit: Secure Digital Certificate Signing
issuerCommonName: StartCom Class 1 Primary Intermediate Server CA
subjectCountryName: US
subjectCommonName: www.lilawelt.net
- ja4x: 7d5dbb3783b4_7d5dbb3783b4_44ce05048d28
issuerCountryName: IL
issuerOrganizationName: StartCom Ltd.
issuerOrganizationalUnit: Secure Digital Certificate Signing
issuerCommonName: StartCom Certification Authority
subjectCountryName: IL
subjectOrganizationName: StartCom Ltd.
subjectOrganizationalUnit: Secure Digital Certificate Signing
subjectCommonName: StartCom Class 1 Primary Intermediate Server CA
ja4l_c: 10204_39
ja4l_s: 30_64If I am not mistaken, the Wireshark people don't have the license to implement any other JA4 fingerprint except for JA4 and JA4S. I think this was discussed here: https://github.com/FoxIO-LLC/ja4/issues/15 but I am not sure, I haven't reread it, I just looked for the term license in the issues 😇
noeltimothy
When using tshark to view ja4x fingerprints in certain pcap files, it is found that ja4x fingerprints are not being parsed. However, when examining the pcap files with Wireshark, the certificates which has been parsed normally could be found in the pcap files, but ja4x fingerprints are still not parsed.
tshark:
wireshark:
This is the test pcap. ssl-ja4x.zip