Closed TheRealPancakes closed 4 months ago
Environment:
arm wireshark v4.2.2-0-g404592842786 on macOS Sonoma 14.3 ad7e956b32d9397f215caf84e9470d2e96946f2b57ef39a6449d55c61627d059 ja4.so
Issue:
The JA4+ plugin fails with a dissector bug if the CommunityID protocol is enabled
[Dissector bug, protocol JA4: "JA4 Fingerprint" - "ja4" tfi->tree_type: -1 invalid (epan/proto.c:6222)] [Expert Info (Error/Malformed): "JA4 Fingerprint" - "ja4" tfi->tree_type: -1 invalid (epan/proto.c:6222)] ["JA4 Fingerprint" - "ja4" tfi->tree_type: -1 invalid (epan/proto.c:6222)] [Severity level: Error] [Group: Malformed]
Expected behavior:
The JA4+ plugin should work regardless of which protocols are enabled in wireshark.
Steps to reproduce:
The failure also happens when doing analysis via tshark, e.g. :
tshark --enable-protocol communityid -Tfields -e communityid -e tls.handshake.ja4 -r /path/to/foo.pcap 'tls.handshake.type == 1'
Environment:
arm wireshark v4.2.2-0-g404592842786 on macOS Sonoma 14.3 ad7e956b32d9397f215caf84e9470d2e96946f2b57ef39a6449d55c61627d059 ja4.so
Issue:
The JA4+ plugin fails with a dissector bug if the CommunityID protocol is enabled
Expected behavior:
The JA4+ plugin should work regardless of which protocols are enabled in wireshark.
Steps to reproduce:
The failure also happens when doing analysis via tshark, e.g. :
tshark --enable-protocol communityid -Tfields -e communityid -e tls.handshake.ja4 -r /path/to/foo.pcap 'tls.handshake.type == 1'