A JA4+ Profile for Wireshark

Post Views: 50
[featured_image]
Download
Download is available until [expire_date]
  • Version
  • Download 9
  • File Size 61.01 KB
  • File Count 1
  • Create Date July 6, 2025
  • Last Updated July 6, 2025

A JA4+ Profile for Wireshark

Special thanks to Peter Gaudiomonte for sharing this profile to the repository.

What is JA4+?

JA4+ is an extension of the JA4 (Just Another 4-tuple) family of fingerprinting techniques. It's used for network traffic fingerprinting—especially in encrypted traffic analysis—and can be useful for threat detection, TLS/QUIC fingerprinting, and application identification, even when payloads are encrypted.

Breakdown:

  • JA4: Originally introduced by John Althouse at Salesforce, it was designed to improve on JA3 (TLS fingerprinting) by offering:

    • Better support for TLS 1.3, QUIC, and modern encryption

    • More precise client fingerprinting using different parts of the TLS handshake or QUIC handshake

  • JA4+: A more comprehensive variant that can combine:

    • TLS/QUIC fingerprinting

    • HTTP and DNS metadata

    • JA4-TLS, JA4-QUIC, JA4-H, JA4-D (various layers)

Use Cases:

  • Detecting malicious or evasive clients by matching encrypted session behavior

  • Identifying applications or devices behind NATs

  • Enhancing Zero Trust policies

  • Complementing Intrusion Detection Systems (IDS)

JA4+ allows analysts to correlate behavior across protocols, helping to detect encrypted threats that evade traditional DPI (Deep Packet Inspection).

There is a Wireshark plugin written by John Althouse - you will find it and further instructions here: https://github.com/FoxIO-LLC/ja4/tree/main/wireshark

You will also find JA4+ pcaps within that same repository.

  Profile     Wireshark     JA4+  
Scroll to Top