FoxIO-LLC
/usr/local/zeek/share/zeek/site/ja4/ja4l/main.zeek > Error "bad conversion to count" in the following line numbers
Hi @danielguerra69 did this get resolved? No one else has reported these errors.
Hey @danielguerra69 and @john-althouse
This is also for anyone else seeing the same issue in zeek reporter. I noticed the same issue. Not at insane error rate in zeek reporter but enough to be annoying. Based on what I'm seeing: packets available for zeek to analyse can arrive out of order (due to jitter, pcap hardware, million other factors). This then cause the calculation at those lines become negative value. Count then will fail and throw errors in zeek reporter.
Originally, I thought the easiest work around is clamp the value down to 0 if the calculation is negative. However, after some more thinking, it can cause some false fingerprint being generated. So the latest fix is just skip.
I tried to submit a PR but was closed by contributor without a chance to discuss. Also, I was told I'm a bot...
If anyone is looking for a "fix", the patched for ja4l/main.zeek is available here. Full link: https://github.com/ichantio/ja4/blob/patch-1/zeek/ja4l/main.zeek NOTE: I'm not the best coder so this is just me trying to get this working. It's not elegant but it works.
Copy this into your zeek <zeekpath>/share/site/packages/ja4/ja4l/main.zeek
If you have different location, look for it
then as usual, zeekctl check and if no error zeekctl deploy
make sure to check your conn.log after to verify
The summary of the fixes is we just return when the calculation is negative so the value will just be empty in zeek log. Example:
# Original line 96
c$fp$ja4l$ja4l_c = cat(double_to_count( (c$fp$ja4l$ack - c$fp$ja4l$synack) / 2.0));
# My work around negative count
local dt = (c$fp$ja4l$ack - c$fp$ja4l$synack) / 2.0;
if (dt < 0.0) return;
c$fp$ja4l$ja4l_c = cat(double_to_count(dt));
Better have empty than throwing error in reporter.
Cheers
Sorry about that. I was going off git history.
I still lean towards letting this go to reporter by default (JA4L should be generating errors if there is enough jitter to cause this and should not be considered reliable from that sensor).
We can gate the errors\not reporting on an optional config but this code is invoked on every connection.
On Sat, Sep 20, 2025, 5:42 AM zippymicro @.***> wrote:
ichantio left a comment (FoxIO-LLC/ja4#175) https://github.com/FoxIO-LLC/ja4/issues/175#issuecomment-3314948129
Hey @danielguerra69 https://github.com/danielguerra69 and @john-althouse https://github.com/john-althouse
This is also for anyone else seeing the same issue in zeek reporter. I noticed the same issue. Not at insane error rate in zeek reporter but enough to be annoying. Based on what I'm seeing: packets available for zeek to analyse can arrive out of order (due to jitter, pcap hardware, million other factors). This then cause the calculation at those lines become negative value. Count then will fail and throw errors in zeek reporter.
Originally, I thought the easiest work around is clamp the value down to 0 if the calculation is negative. However, after some more thinking, it can cause some false fingerprint being generated. So the latest fix is just skip.
I tried to submit a PR but was closed by contributor without a chance to discuss. Also, I was told I'm a bot...
If anyone is looking for a "fix", the patched for ja4l/main.zeek is available here. Full link: https://github.com/ichantio/ja4/blob/patch-1/zeek/ja4l/main.zeek NOTE: I'm not the best coder so this is just me trying to get this working. It's not elegant but it works.
Copy this into your zeek
/share/site/packages/ja4/ja4l/main.zeek If you have different location, look for it then as usual, zeekctl check and if no error zeekctl deploy make sure to check your conn.log after to verify The summary of the fixes is we just return when the calculation is negative so the value will just be empty in zeek log. Example:
Original line 96
c$fp$ja4l$ja4l_c = cat(double_to_count( (c$fp$ja4l$ack - c$fp$ja4l$synack) / 2.0));
My work around negative count
local dt = (c$fp$ja4l$ack - c$fp$ja4l$synack) / 2.0; if (dt < 0.0) return; c$fp$ja4l$ja4l_c = cat(double_to_count(dt));
Better have empty than throwing error in reporter.
Cheers
— Reply to this email directly, view it on GitHub https://github.com/FoxIO-LLC/ja4/issues/175#issuecomment-3314948129, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD7C5ABZS6UXCBUIHLRWURT3TVDU7AVCNFSM6AAAAACHBHRPXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGMJUHE2DQMJSHE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
