Closed awick closed 5 months ago
Indeed. The app returns 0: Parsing Error: Der(InvalidLength)
for each of those files.
❯ ja4x socks4-https.pcap
Error:
0: Parsing Error: Der(InvalidLength)
Location:
ja4x/src/main.rs:53
Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
@awick I'm looking at socks4-https.pcap
as an example.
I'll update ja4x
to handle the input like this gracefully and not fail, but there is no TLS frames to obtain certificates from, hence no JA4X.
I'll update
ja4x
to handle the input like this gracefully and not fail
Ah, I forgot that ja4x
expects certificates in PEM or DER format as its input. It is not supposed to work with the capture files, that's what ja4
is for.
Still, an error message like this
Error:
0: Parsing Error: Der(InvalidLength)
Location:
ja4x/src/main.rs:53
is quite unfriendly to the user.
So i'm just using ja4, not ja4x binary, if that matters.
It is https over socks, I guess wireshark doesn't decode it by default
So i'm just using ja4, not ja4x binary, if that matters.
Makes sense. Thanks for clarifying.
It is https over socks, I guess wireshark doesn't decode it by default
Wireshark needs secrets to decrypt TLS traffic. Secrets can either be embedded into a capture file or stored separately.
There is no decryption here. This is https over socks
Let's ignore the socks ones. I am using release build now. and i can see the certs in wireshark
./target/release/ja4 ~/arkime/tests/pcap/ssl-selfsign.pcap
./target/release/ja4 ~/arkime/tests/pcap/https3-301-get.pcap
@awick That's weird.
@awick Would you try to build from my branch and run
RUST_LOG=debug target/release/ja4 ~/arkime/tests/pcap/ssl-selfsign.pcap
?
yep that works! I give up.
I figured it out!!! The wireshark ja4.so was installed when I was running before and was crashing I guess. I uninstalled it earlier so I could check these files in wireshark. I just reinstalled it, and even your branch isn't working.
For rust ja4 tshark runs is there a way to disable the ja4.so wireshark plugin?
For rust ja4 tshark runs is there a way to disable the ja4.so wireshark plugin?
You can remove ja4.so
from the Wireshark's epan/
directory. Or just rename the file. For macOS the path to the epan/
dir is /Applications/Wireshark.app/Contents/PlugIns/wireshark/4-2/epan/
.
I'm not entirely sure, but I would expect wireshark and tshark to use the same plugins. So I don't think a plugin (e.g. epan/ja4.so
) can be disabled for tshark
only and remain activated for wireshark
.
Yes I know how to do it, I was asking if there is a way inside of the ja4 programs when running tshark to disable it so there is never an accidental interaction. Anyway, closing this issue since it looks like tshark doesn't decode socks and the other ones were caused by ja4.so crashing tshark.
These are all missing ja4x output from rust ja4 against files in https://github.com/arkime/arkime/tree/main/tests/pcap