JA4 is a suite of passive network fingerprinting methods that supersede the aging JA3/S standard.
| Name | Meaning |
|---|---|
| JA4 | TLS client fingerprint (supersedes JA3) |
| JA4S | TLS server fingerprint (supersedes JA3S) |
| JA4L-C/S | Light distance/location fingerprint |
| JA4H | HTTP client fingerprint |
| JA4SSH | SSH traffic fingerprint |
| JA4X | X.509 fingerprint |
Usage: ja4 [OPTIONS] <PCAP>
Arguments:
<PCAP>
The capture file to process
Options:
-j, --json
JSON output (default is YAML)
-r, --with-raw
Include raw (unhashed) fingerprints in the output
-O, --original-order
Preserve the original order of values.
JA4 (TLS client): disable sorting of ciphers and TLS extensions.
JA4H (HTTP client): disable sorting of headers and cookies.
--keylog-file <KEYLOG_FILE>
The key log file that enables decryption of TLS traffic.
This file is generated by the browser when `SSLKEYLOGFILE` environment variable is set. See <https://wiki.wireshark.org/TLS#using-the-pre-master-secret> for more details.
Note that you can embed the TLS key log file in a capture file: `editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng`
-n, --with-packet-numbers
Include packet numbers (`pkt_*` fields) in the output.
This information is useful for debugging.
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version