JA4+ is a comprehensive suite of network fingerprinting methods designed for effective threat hunting, malware detection, and network security analysis.
JA4+ is a suite of network fingerprinting standards
Security analysts and network defenders use JA4+ to identify and monitor threat actors, detect malware, prevent session hijacking, and automate compliance by leveraging human- and machine-readable network fingerprints. It supports various fingerprinting techniques across TLS, HTTP, SSH, TCP, and latency measurements to enhance intrusion detection and threat hunting workflows.
JA4+ requires tshark for some implementations and benefits from integration with network monitoring tools like Zeek and Wireshark. Some features, such as Suricata and nzyme support, are under development. Users should review the technical details documentation to understand fingerprint formats and ensure proper deployment in their environments.
Install tshark for your platform (Linux, macOS, Windows) as a prerequisite
Clone the repository from GitHub: git clone https://github.com/FoxIO-LLC/ja4.git
For Python implementation, follow instructions in ./python/README.md
For Rust implementation, follow instructions in ./rust/README.md
For Wireshark plugin, follow instructions in ./wireshark/README.md
For Zeek integration, follow instructions in ./zeek/README.md
Use release assets for pre-built binaries if availabletshark -X lua_script:ja4.lua -r capture.pcap
Run JA4+ Wireshark plugin to fingerprint TLS traffic from a pcap file
python ja4.py --input capture.pcap
Use the Python implementation to analyze network captures for JA4+ fingerprints
zeek -r capture.pcap ja4.zeek
Run JA4+ fingerprinting within Zeek IDS on a pcap file
ja4tscan --scan 192.168.1.0/24
Perform active TCP fingerprint scanning on a network range using JA4TScan