JA4+ network fingerprinting library for TLS, TCP, HTTP, SSH, and X.509 analysis

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Crank-PyPI from gravatar.com Crank-PyPI

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: BSD-3-Clause AND LicenseRef-FoxIO-1.1
  • Tags ja4 , ja4plus , fingerprinting , tls , tcp , http , ssh , x509 , network , security , scapy
  • Requires: Python >=3.8
  • Provides-Extra: dev , lookup
Classifiers
Report project as malware

Project description

A Python library and CLI for JA4+ network fingerprinting. Implements all eight JA4+ methods for identifying and classifying network traffic based on TLS, TCP, HTTP, SSH, and X.509 characteristics.

JA4+ is a set of network fingerprinting standards created by FoxIO. This library is an independent Python implementation of the published specification. For the original spec, see the FoxIO JA4+ repository.

Tests PyPI version Python versions License

Supported Fingerprint Types

Type Protocol Description
JA4 TLS Client fingerprint from ClientHello messages
JA4S TLS Server fingerprint from ServerHello messages
JA4H HTTP Client fingerprint from request headers and cookies
JA4T TCP Client OS fingerprint from SYN packets
JA4TS TCP Server fingerprint from SYN-ACK packets
JA4L TCP Light distance and latency estimation
JA4X X.509 Certificate structure fingerprint from OID sequences
JA4SSH SSH Session type classification from traffic patterns

Installation

pip install ja4plus

For fingerprint identification (browsers, malware, C2 frameworks):

pip install ja4plus[lookup]

CLI

The ja4plus command is available after installation:

# Analyze a PCAP file
ja4plus analyze capture.pcap

# JSON output for SIEM ingestion
ja4plus --format json analyze capture.pcap

# Only specific fingerprint types
ja4plus --types ja4,ja4t analyze capture.pcap

# Live capture (requires root)
sudo ja4plus live eth0

# Fingerprint a certificate
ja4plus cert server.der

# Identify known fingerprints
ja4plus --lookup analyze capture.pcap

Output formats: --format table (default), json (JSONL), csv

Fingerprint Lookup

ja4plus includes a bundled database of known JA4+ fingerprints from FoxIO's ja4plus-mapping.csv. Identifies Chrome, Firefox, Safari, Python, Cobalt Strike, Sliver, IcedID, and more.

from ja4plus.ja4db import lookup

result = lookup("t13d1516h2_8daaf6152771_02713d6af862")
# {"application": "Chromium Browser", "type": "ja4", "notes": ""}

Python API

Quick Start

from scapy.all import rdpcap
from ja4plus import JA4Fingerprinter

packets = rdpcap("capture.pcap")

fp = JA4Fingerprinter()
for packet in packets:
    result = fp.process_packet(packet)
    if result:
        print(f"JA4: {result}")

All Fingerprinters

from ja4plus import (
    JA4Fingerprinter,      # TLS Client
    JA4SFingerprinter,     # TLS Server
    JA4HFingerprinter,     # HTTP
    JA4TFingerprinter,     # TCP Client (SYN)
    JA4TSFingerprinter,    # TCP Server (SYN-ACK)
    JA4LFingerprinter,     # Latency
    JA4XFingerprinter,     # X.509 Certificate
    JA4SSHFingerprinter,   # SSH
)

All fingerprinters share a common interface:

Method Description
process_packet(pkt) Process a packet, returns fingerprint string or None
get_fingerprints() Returns list of all collected fingerprint dicts
reset() Clears all collected state

Function-Based API

For one-shot fingerprinting without maintaining state:

from ja4plus import generate_ja4, generate_ja4s, generate_ja4h

fingerprint = generate_ja4(packet)

See docs/usage.md for detailed usage of each fingerprinter and docs/api_reference.md for the full API.

Fingerprint Formats

Type Format Example
JA4 {proto}{ver}{sni}{ciphers}{exts}{alpn}_{hash}_{hash} t13d1516h2_8daaf6152771_e5627efa2ab1
JA4S {proto}{ver}{exts}{alpn}_{cipher}_{hash} t130200_1301_a56c5b993250
JA4H {method}{ver}{cookie}{ref}{cnt}{lang}_{h}_{h}_{h} ge11cr0800_edb4461d7a83_...
JA4T {window}_{options}_{mss}_{wscale} 65535_2-4-8-1-3_1460_7
JA4TS {window}_{options}_{mss}_{wscale} 14600_2-4-8-1-3_1460_0
JA4L {latency_us}_{ttl} 2500_56
JA4X {issuer}_{subject}_{extensions} a37f49ba31e2_a37f49ba31e2_dd4f1a0ef8b2
JA4SSH c{mode}s{mode}_c{pkts}s{pkts}_c{acks}s{acks} c36s36_c51s80_c69s0

Spec Validation

ja4plus is validated against FoxIO's official test vectors:

python tests/download_test_vectors.py
pytest -m spec_validation -v

Development

git clone https://github.com/Crank-Git/ja4plus.git
cd ja4plus
pip install -e ".[dev]"
pytest tests/ -v

Requirements

License

This library is released under the BSD 3-Clause License.

The JA4+ fingerprinting specifications were created by FoxIO. JA4 (TLS Client) is open source under BSD-3-Clause per FoxIO. Other JA4+ methods (JA4S, JA4H, JA4T, JA4TS, JA4L, JA4X, JA4SSH) implement FoxIO's specifications under the FoxIO License 1.1, which is permissive for academic, internal business, and security research use.

See LICENSE for full details.

Acknowledgments

JA4+ was created by John Althouse at FoxIO. This library is an independent implementation of the published specification. For the original spec and reference implementation, see github.com/FoxIO-LLC/ja4.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Crank-PyPI from gravatar.com Crank-PyPI

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: BSD-3-Clause AND LicenseRef-FoxIO-1.1
  • Tags ja4 , ja4plus , fingerprinting , tls , tcp , http , ssh , x509 , network , security , scapy
  • Requires: Python >=3.8
  • Provides-Extra: dev , lookup
Classifiers

Release history Release notifications | RSS feed

0.6.0

0.5.0

0.4.1

This version

0.4.0

0.3.0

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ja4plus-0.4.0.tar.gz (8.5 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ja4plus-0.4.0-py3-none-any.whl (2.5 MB view details)

Uploaded Python 3

File details

Details for the file ja4plus-0.4.0.tar.gz.

File metadata

  • Download URL: ja4plus-0.4.0.tar.gz
  • Upload date:
  • Size: 8.5 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ja4plus-0.4.0.tar.gz
Algorithm Hash digest
SHA256 cd7664a8205266716dee3946664a14032888ace7c6cafe8668cb11ddf4397a40
MD5 48ad5505a521df41b6c320f2889cea3c
BLAKE2b-256 def3c82260626f5ab61e5e26152dbe8825dd05750170cfbff46611ab2d9b1eb9

See more details on using hashes here.

Provenance

The following attestation bundles were made for ja4plus-0.4.0.tar.gz:

Publisher: publish.yml on Crank-Git/ja4plus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ja4plus-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: ja4plus-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 2.5 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ja4plus-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 639d9d6c68f161d26c03048e1812e62e7bb1686831d515ee8f676421b00945c4
MD5 72125c57cb82ba4ba6228970563b179f
BLAKE2b-256 ea780d885ca6cdc274cc82d24d91db73d0d6cfdbbe38f9fa36b894937736f72c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ja4plus-0.4.0-py3-none-any.whl:

Publisher: publish.yml on Crank-Git/ja4plus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page