No fingerprints generated for IPv6 handshakes

[curob]

In its current form, the JA3 code will not generate fingerprints for IPv6 TLS handshakes. For example, if you run the following: ja3 -a /path/to/pcap/containing/ipv6.pcap Then it will just output [] indicating that no fingerprints were found.

The problem is because of one of the packet checks that is performed inside the process_pcap method:

if not isinstance(eth.data, dpkt.ip.IP):
    # We want an IP packet
    continue

This check will only allow IPv4 packets through.

I was able to get around this by changing the check to be:

if not (isinstance(eth.data, dpkt.ip.IP) or isinstance(eth.data, dpkt.ip6.IP6)):
    # We want an IP packet
    continue

After making this change, I was able to get fingerprints from PCAP files containing IPv6 packets.

The issue appears to be present in all of the following files:

• ja3.py
• ja3s.py
• ja3/ja3.py

[jabedude]

@curob you should open a PR!

[curob]

@jabedude, I think I may. Unfortunately, my normal dev machine is not connected to the internet so it may take me some time to get it together.

[p-l-]

FWIW, you can write if not isinstance(eth.data, (dpkt.ip.IP, dpkt.ip6.IP6)):.

[curob]

@p-l- I did not realize I could do that; I learn something new everyday. Thanks!

[curob]

Pull request up: https://github.com/salesforce/ja3/pull/50

[curob]

I have signed the CLA but the pull request indicates that I still need to. Does anyone know how to resolve this?

Also, does anyone know when the salesforce team usually pulls in changes? The age of the other pull requests is not very encouraging.

[jabedude]

@curob try doing this: https://stackoverflow.com/questions/39287680/invalid-email-address-on-github.

[curob]

@jabedude Ok. I removed the old pull request, created a new remote branch with correct user information, and created a new pull request (https://github.com/salesforce/ja3/pull/53).

All checks are now passing!

[tstallings]

This has been merged.