ja4 icon indicating copy to clipboard operation
ja4 copied to clipboard
verified publisher icon FoxIO-LLC

Possible inconsistency in the number of extensions in JA4S

Open rubende opened this issue 3 months ago • 0 comments

Hello.

I'm seeing something that doesn't fit in the JA4S calculation. The third field (after the protocol and TLS version) is, if I understand correctly, the number of extensions in the ServerHello packet.

Currently, in Wireshark, I am seeing a single extension in a ServerHello, with the number 65281. This matches at the byte level, and using PcapPlusPlus I come to the same conclusion. I am attaching a Wireshark screenshot.

Image

The Python code in this repository that calculates the JA4S applies the following lines:

`x['extensions'] = [ '{:04x}'.format(int(k)) for k in x['extensions'] ]

ext_len = '{:02d}'.format(min(len(x['extensions']), 99))`

This tells me that there are five extensions, not one, and that these five are: ['0006', '0005', '0002', '0008', '0001']

This implies that the Python code is not counting the number of extensions, but rather the number of bytes in the extensions. Is this correct, or is it a bug in the JA4S calculation?

Thank you.

rubende avatar Oct 23 '25 11:10 rubende