wireshark plugin doesn't use 000000000000 for empty JA4_c

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards

https://foxio.io

Other

989 stars 85 forks source link

wireshark plugin doesn't use 000000000000 for empty JA4_c #164

Closed awick closed 1 month ago

awick commented 2 months ago

If I have a empty JA4_c, wireshark plugin hashes as e3b0c44298fc while Arkime and the ja4/rust use 000000000000, which is correct?

john-althouse commented 2 months ago

It should be zeros. That's a bug, thanks for bringing it up!

john-althouse commented 2 months ago

@awick can you send me a pcap?

We stopped supporting JA4 for Wireshark in our plugin because it's already included in the base version of Wireshark - no need to have it in there twice. So our plugin now only includes JA4+ (all of the other fingerprints) - similar to Arkime. That means this bug for JA4 in Wireshark will need to be fixed by the Wireshark team.

awick commented 2 months ago

4.4.0 is showing t10d190100_7b6e7846fca7_e3b0c44298fc rust/arkime t10d190100_7b6e7846fca7_000000000000

ja4_c-should-be-0s.pcap.gz

john-althouse commented 2 months ago

I updated the JA4 spec to make this clear and created an issue here: https://gitlab.com/wireshark/wireshark/-/issues/20066

john-althouse commented 1 month ago

Fixed: https://gitlab.com/wireshark/wireshark/-/merge_requests/17679