rust ja4/ja4s issues with Arkime pcaps

[awick]

• https3-301-get.pcap - missing both - fixed ja4.so was crashing
• openssl-ssl3.pcap - crash - fixed ja4.so was crashing
• socks-http-example.pcap - missing both - tshark doesn't support socks decoding
• socks4-https.pcap - missing both - tshark doesn't support socks decoding
• ssl-selfsign.pcap - missing both - fixed ja4.so was crashing
• tls13.pcap - both ja4/ja4s say version is t00 instead of t13 - fixed in arkime, weirdness with draft

[vvv]

Cannot reproduce.

❯ ja4 https3-301-get.pcap
- stream: 0
  transport: tcp
  src: 10.180.156.141
  dst: 192.30.252.130
  src_port: 62599
  dst_port: 443
  tls_server_name: www.github.com
  ja4: t10d230100_6a57a6f57151_000000000000
  ja4s: t100200_0005_696072bc484d
  tls_certs:
  - x509:
    - ja4x: 7d5dbb3783b4_59b7510e6266_5e17a2514980
      issuerCountryName: US
      issuerOrganizationName: DigiCert Inc
      issuerOrganizationalUnit: www.digicert.com
      issuerCommonName: DigiCert High Assurance EV CA-1
      subjectBusinessCategory: Private Organization
      subjectMsJurisdictionCountry: US
      subjectMsJurisdictionStateOrProvince: Delaware
      subjectSerialNumber: '5157550'
      subjectStreetAddress: 548 4th Street
      subjectPostalCode: '94107'
      subjectCountryName: US
      subjectStateOrProvinceName: California
      subjectLocalityName: San Francisco
      subjectOrganizationName: GitHub, Inc.
      subjectCommonName: github.com
    - ja4x: 7d5dbb3783b4_7d5dbb3783b4_897f3043ab93
      issuerCountryName: US
      issuerOrganizationName: DigiCert Inc
      issuerOrganizationalUnit: www.digicert.com
      issuerCommonName: DigiCert High Assurance EV Root CA
      subjectCountryName: US
      subjectOrganizationName: DigiCert Inc
      subjectOrganizationalUnit: www.digicert.com
      subjectCommonName: DigiCert High Assurance EV CA-1
  ja4l_c: 33_64
  ja4l_s: 17805_50

@awick Please make sure your tshark version ≥ 4.0.6. See also https://github.com/FoxIO-LLC/ja4/issues/51#issuecomment-1908967279

[awick]

Why did you close, I'm using 4.2.0 which is > 4.0.6

[vvv]

Why did you close, I'm using 4.2.0 which is > 4.0.6

Oh, my bad! I didn't realize that your tshark is newer than mine, not older. Sorry for that.

[vvv]

Wait. This doesn't make sense. The version of tshark installed on my machine is 4.2.1. I also have a docker container with tshark 4.0.6. And your tshark is 4.2.0.

They all should give the same result, the one I posted above.

[awick]

ok, updated the initial bug report, these are all ja4.so crashes, socks issues, or bug in arkime parsing of draft