Closed awick closed 5 months ago
Cannot reproduce.
❯ ja4 https3-301-get.pcap
- stream: 0
transport: tcp
src: 10.180.156.141
dst: 192.30.252.130
src_port: 62599
dst_port: 443
tls_server_name: www.github.com
ja4: t10d230100_6a57a6f57151_000000000000
ja4s: t100200_0005_696072bc484d
tls_certs:
- x509:
- ja4x: 7d5dbb3783b4_59b7510e6266_5e17a2514980
issuerCountryName: US
issuerOrganizationName: DigiCert Inc
issuerOrganizationalUnit: www.digicert.com
issuerCommonName: DigiCert High Assurance EV CA-1
subjectBusinessCategory: Private Organization
subjectMsJurisdictionCountry: US
subjectMsJurisdictionStateOrProvince: Delaware
subjectSerialNumber: '5157550'
subjectStreetAddress: 548 4th Street
subjectPostalCode: '94107'
subjectCountryName: US
subjectStateOrProvinceName: California
subjectLocalityName: San Francisco
subjectOrganizationName: GitHub, Inc.
subjectCommonName: github.com
- ja4x: 7d5dbb3783b4_7d5dbb3783b4_897f3043ab93
issuerCountryName: US
issuerOrganizationName: DigiCert Inc
issuerOrganizationalUnit: www.digicert.com
issuerCommonName: DigiCert High Assurance EV Root CA
subjectCountryName: US
subjectOrganizationName: DigiCert Inc
subjectOrganizationalUnit: www.digicert.com
subjectCommonName: DigiCert High Assurance EV CA-1
ja4l_c: 33_64
ja4l_s: 17805_50
@awick Please make sure your tshark
version ≥ 4.0.6. See also https://github.com/FoxIO-LLC/ja4/issues/51#issuecomment-1908967279
Why did you close, I'm using 4.2.0 which is > 4.0.6
Why did you close, I'm using 4.2.0 which is > 4.0.6
Oh, my bad! I didn't realize that your tshark
is newer than mine, not older. Sorry for that.
Wait. This doesn't make sense. The version of tshark
installed on my machine is 4.2.1. I also have a docker container with tshark 4.0.6. And your tshark is 4.2.0.
They all should give the same result, the one I posted above.
ok, updated the initial bug report, these are all ja4.so crashes, socks issues, or bug in arkime parsing of draft