Closed vvv closed 4 months ago
I noticed strange behaviour of the Python app when processing the attached capture file.
📎 ssh-r_stream-1.pcap.gz (this is tcp.stream == 1, extracted from ssh-r.pcap)
tcp.stream == 1
ja4.py
root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | wc -l 4 root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | sort -u | wc -l 2 root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | sort -u | jq . { "stream": 0, "src": "192.168.1.197", "dst": "44.212.59.210", "srcport": "46394", "dstport": "22", "client_ttl": "64", "server_ttl": "116", "JA4L-S": "4171_116", "JA4L-C": "2058_64", "ssh_extras": { "hassh": "ec9ea89c70f5fc71cf61061bff5e4740", "hassh_server": "2307c390c7c9aba5b4c9519e72347f34", "ssh_protocol_client": "SSH-2.0-OpenSSH_7.4", "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7", "encryption_algorithm": "aes256-gcm@openssh.com" }, "JA4SSH.1": "c48s21_c7s5_c4s5" } { "stream": 0, "src": "192.168.1.197", "dst": "44.212.59.210", "srcport": "46394", "dstport": "22", "client_ttl": "64", "server_ttl": "116", "JA4L-S": "4171_116", "JA4L-C": "2058_64", "ssh_extras": { "hassh": "ec9ea89c70f5fc71cf61061bff5e4740", "hassh_server": "2307c390c7c9aba5b4c9519e72347f34", "ssh_protocol_client": "SSH-2.0-OpenSSH_7.4", "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7", "encryption_algorithm": "aes256-gcm@openssh.com" }, "JA4SSH.1": "c48s21_c7s5_c5s5" } root@cb2229f67df7:/ja4/python# rec1=$(python3 ja4.py --json ../pcap/1.pcap 2>/dev/null | jq -c . | sort -u | head -1 | jq .) root@cb2229f67df7:/ja4/python# rec2=$(python3 ja4.py --json ../pcap/1.pcap 2>/dev/null | jq -c . | sort -u | tail -1 | jq .) root@cb2229f67df7:/ja4/python# diff -u <(echo "$rec1") <(echo "$rec2") --- /dev/fd/63 2024-02-03 20:39:00.731977007 +0000 +++ /dev/fd/62 2024-02-03 20:39:00.731977007 +0000 @@ -15,5 +15,5 @@ "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7", "encryption_algorithm": "aes256-gcm@openssh.com" }, - "JA4SSH.1": "c48s21_c7s5_c4s5" + "JA4SSH.1": "c48s21_c7s5_c5s5" }
I noticed strange behaviour of the Python app when processing the attached capture file.
📎 ssh-r_stream-1.pcap.gz (this is
tcp.stream == 1
, extracted from ssh-r.pcap)ja4.py
produces 4 output records.