Add ja4l_delta and ja4ls_delta derived fields to JA4 wireshark plugin (#245)

vlvkobal · web-flow · commit 5672966bae1a · 2025-08-07T11:16:02.000-04:00
* Add JA4L delta

* Add JA4D to the documentation

* Use FT_DOUBLE for delta fields
diff --git a/wireshark/README.md b/wireshark/README.md
@@ -168,6 +168,7 @@ JA4+ fields are found under `ja4.*` in Wireshark. These fields represent differe
 | **JA4SSH** (SSH Traffic) | `ja4.ja4ssh` |
 | **JA4T** (TCP Client) | `ja4.ja4t` |
 | **JA4TS** (TCP Server) | `ja4.ja4ts` |
+| **JA4D** (DHCP) | `ja4.ja4d` |
 
 ### Adding JA4+ Columns in Wireshark
 
@@ -202,6 +203,7 @@ Alternatively, you can manually modify Wireshark's **preferences file** using a
    "JA4LS", "%Cus:ja4.ja4ls:0:R",
    "JA4X", "%Cus:ja4.ja4x:0:R",
    "JA4SSH", "%Cus:ja4.ja4ssh:0:R"
+   "JA4D", "%Cus:ja4.ja4d:0:R"
    ```
 
 3. Save the file and restart Wireshark.
diff --git a/wireshark/source/packet-ja4.c b/wireshark/source/packet-ja4.c
@@ -65,7 +65,9 @@ static int hf_ja4h = -1;
 static int hf_ja4h_raw = -1;
 static int hf_ja4h_raw_original = -1;
 static int hf_ja4l = -1;
+static int hf_ja4l_delta = -1;
 static int hf_ja4ls = -1;
+static int hf_ja4ls_delta = -1;
 static int hf_ja4ssh = -1;
 static int hf_ja4t = -1;
 static int hf_ja4ts = -1;
@@ -282,7 +284,7 @@ proto_tree *locate_tree(proto_tree *tree, const char *s) {
 
 void update_tree_item(
     tvbuff_t *tvb, proto_tree *tree, proto_tree **ja4_tree, int field,
-    const char *str, const char *insert_at
+    const void *data, const char *insert_at
 ) {
 
     // We get to the right part of the tree using locate_tree and insert the
@@ -300,7 +302,12 @@ void update_tree_item(
         *ja4_tree = proto_item_add_subtree(ja4_ti, ett_ja4);
     }
 
-    proto_tree_add_string(*ja4_tree, field, NULL, 0, 0, str);
+    enum ftenum type = proto_registrar_get_ftype(field);
+    if (type == FT_STRING) {
+        proto_tree_add_string(*ja4_tree, field, NULL, 0, 0, (const char *)data);
+    } else if (type == FT_DOUBLE) {
+        proto_tree_add_double(*ja4_tree, field, NULL, 0, 0, *(const double *)data);
+    }
 }
 
 void update_mode(int pkt_len, wmem_map_t *hash_table) {
@@ -1190,6 +1197,13 @@ static int dissect_ja4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
                                         wmem_strbuf_finalize(display), "tcp"
                                     );
 
+                                    double delta = (double)latency2.nsecs / (double)latency.nsecs;
+                                    delta = round(delta * 10.0) / 10.0;
+                                    update_tree_item(
+                                        tvb, tree, &ja4_tree, hf_ja4ls_delta,
+                                        &delta, "tcp"
+                                    );
+
                                     nstime_delta(&latency, &conn->timestamp_C, &conn->timestamp_B);
                                     nstime_delta(&latency2, &conn->timestamp_F, &conn->timestamp_E);
                                     wmem_strbuf_append_printf(
@@ -1200,6 +1214,13 @@ static int dissect_ja4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
                                         tvb, tree, &ja4_tree, hf_ja4l,
                                         wmem_strbuf_finalize(display2), "tcp"
                                     );
+
+                                    double delta2 = (double)latency2.nsecs / (double)latency.nsecs;
+                                    delta2 = round(delta2 * 10.0) / 10.0;
+                                    update_tree_item(
+                                        tvb, tree, &ja4_tree, hf_ja4l_delta,
+                                        &delta2, "tcp"
+                                    );
                                 }
                             }
                         }
@@ -1489,7 +1510,11 @@ void proto_register_ja4(void) {
         {&hf_ja4h_raw_original,
          {"JA4H Raw (Original)", "ja4.ja4h_ro", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}           },
         {&hf_ja4l,              {"JA4L", "ja4.ja4l", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}      },
+        {&hf_ja4l_delta,
+         {"JA4L Delta", "ja4.ja4l_delta", FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL}                 },
         {&hf_ja4ls,             {"JA4LS", "ja4.ja4ls", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}    },
+        {&hf_ja4ls_delta,
+         {"JA4LS Delta", "ja4.ja4ls_delta", FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL}               },
         {&hf_ja4ssh,            {"JA4SSH", "ja4.ja4ssh", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}  },
         {&hf_ja4t,              {"JA4T", "ja4.ja4t", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}      },
         {&hf_ja4ts,             {"JA4T-S", "ja4.ja4ts", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}   },
diff --git a/wireshark/test/generate-output-files.sh b/wireshark/test/generate-output-files.sh
@@ -15,7 +15,9 @@ FIELDS="-Y ja4 -T json \
 -e ja4.ja4h_r \
 -e ja4.ja4h_ro \
 -e ja4.ja4l \
+-e ja4.ja4l_delta \
 -e ja4.ja4ls \
+-e ja4.ja4ls_delta \
 -e ja4.ja4ssh \
 -e ja4.ja4t \
 -e ja4.ja4ts \
diff --git a/wireshark/test/test_tshark_output.py b/wireshark/test/test_tshark_output.py
@@ -35,7 +35,9 @@ def test_tshark_output_matches_expected(pcap_file):
             "-e", "ja4.ja4h_r",
             "-e", "ja4.ja4h_ro",
             "-e", "ja4.ja4l",
+            "-e", "ja4.ja4l_delta",
             "-e", "ja4.ja4ls",
+            "-e", "ja4.ja4ls_delta",
             "-e", "ja4.ja4ssh",
             "-e", "ja4.ja4t",
             "-e", "ja4.ja4ts",
diff --git a/wireshark/test/testdata/badcurveball.pcap.json b/wireshark/test/testdata/badcurveball.pcap.json
@@ -79,8 +79,14 @@
         "ja4.ja4l": [
           "2177_64_114732"
         ],
+        "ja4.ja4l_delta": [
+          "52.7"
+        ],
         "ja4.ja4ls": [
           "781_238_9107"
+        ],
+        "ja4.ja4ls_delta": [
+          "11.7"
         ]
       }
     }
diff --git a/wireshark/test/testdata/browsers-x509.pcapng.json b/wireshark/test/testdata/browsers-x509.pcapng.json
@@ -67,8 +67,14 @@
         "ja4.ja4l": [
           "56_128_2870"
         ],
+        "ja4.ja4l_delta": [
+          "51.3"
+        ],
         "ja4.ja4ls": [
           "1907_112_343965"
+        ],
+        "ja4.ja4ls_delta": [
+          "180.3"
         ]
       }
     }
@@ -153,8 +159,14 @@
         "ja4.ja4l": [
           "73_128_1768"
         ],
+        "ja4.ja4l_delta": [
+          "24.1"
+        ],
         "ja4.ja4ls": [
           "7166_41_387249"
+        ],
+        "ja4.ja4ls_delta": [
+          "54"
         ]
       }
     }
@@ -241,8 +253,14 @@
         "ja4.ja4l": [
           "78_128_150466"
         ],
+        "ja4.ja4l_delta": [
+          "1929.1"
+        ],
         "ja4.ja4ls": [
           "2948_229_14055"
+        ],
+        "ja4.ja4ls_delta": [
+          "4.8"
         ]
       }
     }
diff --git a/wireshark/test/testdata/http2-with-cookies.pcapng.json b/wireshark/test/testdata/http2-with-cookies.pcapng.json
@@ -81,8 +81,14 @@
         "ja4.ja4l": [
           "47_128_455044"
         ],
+        "ja4.ja4l_delta": [
+          "9579.9"
+        ],
         "ja4.ja4ls": [
           "44840_117_48774"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.1"
         ]
       }
     }
diff --git a/wireshark/test/testdata/latest.pcapng.json b/wireshark/test/testdata/latest.pcapng.json
@@ -79,8 +79,14 @@
         "ja4.ja4l": [
           "62_128_930"
         ],
+        "ja4.ja4l_delta": [
+          "15"
+        ],
         "ja4.ja4ls": [
           "33804_227_35440"
+        ],
+        "ja4.ja4ls_delta": [
+          "1"
         ]
       }
     }
@@ -165,8 +171,14 @@
         "ja4.ja4l": [
           "57_128_2696"
         ],
+        "ja4.ja4l_delta": [
+          "47.3"
+        ],
         "ja4.ja4ls": [
           "7096_245_3800"
+        ],
+        "ja4.ja4ls_delta": [
+          "0.5"
         ]
       }
     }
@@ -300,8 +312,14 @@
         "ja4.ja4l": [
           "47_128_34471"
         ],
+        "ja4.ja4l_delta": [
+          "725.7"
+        ],
         "ja4.ja4ls": [
           "14207_43_18819"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.3"
         ]
       }
     }
@@ -374,8 +392,14 @@
         "ja4.ja4l": [
           "40_128_1829"
         ],
+        "ja4.ja4l_delta": [
+          "45.7"
+        ],
         "ja4.ja4ls": [
           "42103_109_42502"
+        ],
+        "ja4.ja4ls_delta": [
+          "1"
         ]
       }
     }
@@ -448,8 +472,14 @@
         "ja4.ja4l": [
           "61_128_1680"
         ],
+        "ja4.ja4l_delta": [
+          "27.3"
+        ],
         "ja4.ja4ls": [
           "53595_109_42401"
+        ],
+        "ja4.ja4ls_delta": [
+          "0.8"
         ]
       }
     }
diff --git a/wireshark/test/testdata/ssh-r.pcap.json b/wireshark/test/testdata/ssh-r.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "94_128_5421"
         ],
+        "ja4.ja4l_delta": [
+          "57.4"
+        ],
         "ja4.ja4ls": [
           "32_64_9660"
+        ],
+        "ja4.ja4ls_delta": [
+          "297.2"
         ]
       }
     }
@@ -104,8 +110,14 @@
         "ja4.ja4l": [
           "14_64_115"
         ],
+        "ja4.ja4l_delta": [
+          "8.2"
+        ],
         "ja4.ja4ls": [
           "4171_116_8099"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.9"
         ]
       }
     }
@@ -182,8 +194,14 @@
         "ja4.ja4l": [
           "12_64_230"
         ],
+        "ja4.ja4l_delta": [
+          "19.2"
+        ],
         "ja4.ja4ls": [
           "3169_116_7225"
+        ],
+        "ja4.ja4ls_delta": [
+          "2.3"
         ]
       }
     }
diff --git a/wireshark/test/testdata/ssh-scp-1050.pcap.json b/wireshark/test/testdata/ssh-scp-1050.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "179_128_8921"
         ],
+        "ja4.ja4l_delta": [
+          "49.7"
+        ],
         "ja4.ja4ls": [
           "38_64_-496312"
+        ],
+        "ja4.ja4ls_delta": [
+          "-12891.2"
         ]
       }
     }
diff --git a/wireshark/test/testdata/ssh2-malformed.pcap.json b/wireshark/test/testdata/ssh2-malformed.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "7_64_480189"
         ],
+        "ja4.ja4l_delta": [
+          "64025.3"
+        ],
         "ja4.ja4ls": [
           "462_60_-480132"
+        ],
+        "ja4.ja4ls_delta": [
+          "-1038.1"
         ]
       }
     }
diff --git a/wireshark/test/testdata/ssh2-moloch-crash.pcap.json b/wireshark/test/testdata/ssh2-moloch-crash.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "7_64_480189"
         ],
+        "ja4.ja4l_delta": [
+          "64025.3"
+        ],
         "ja4.ja4ls": [
           "462_60_-480132"
+        ],
+        "ja4.ja4ls_delta": [
+          "-1038.1"
         ]
       }
     }
diff --git a/wireshark/test/testdata/ssh2.pcapng.json b/wireshark/test/testdata/ssh2.pcapng.json
diff --git a/wireshark/test/testdata/tcpdump-geneve.pcap.json b/wireshark/test/testdata/tcpdump-geneve.pcap.json
diff --git a/wireshark/test/testdata/tls3.pcapng.json b/wireshark/test/testdata/tls3.pcapng.json

Original file line number	Diff line number	Diff line change
`@@ -79,8 +79,14 @@`
`79`	`79`	`"ja4.ja4l": [`
`80`	`80`	`"2177_64_114732"`
`81`	`81`	`],`
	`82`	`+ "ja4.ja4l_delta": [`
	`83`	`+ "52.7"`
	`84`	`+ ],`
`82`	`85`	`"ja4.ja4ls": [`
`83`	`86`	`"781_238_9107"`
	`87`	`+ ],`
	`88`	`+ "ja4.ja4ls_delta": [`
	`89`	`+ "11.7"`
`84`	`90`	`]`
`85`	`91`	`}`
`86`	`92`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,14 @@`
`67`	`67`	`"ja4.ja4l": [`
`68`	`68`	`"56_128_2870"`
`69`	`69`	`],`
	`70`	`+ "ja4.ja4l_delta": [`
	`71`	`+ "51.3"`
	`72`	`+ ],`
`70`	`73`	`"ja4.ja4ls": [`
`71`	`74`	`"1907_112_343965"`
	`75`	`+ ],`
	`76`	`+ "ja4.ja4ls_delta": [`
	`77`	`+ "180.3"`
`72`	`78`	`]`
`73`	`79`	`}`
`74`	`80`	`}`
`@@ -153,8 +159,14 @@`
`153`	`159`	`"ja4.ja4l": [`
`154`	`160`	`"73_128_1768"`
`155`	`161`	`],`
	`162`	`+ "ja4.ja4l_delta": [`
	`163`	`+ "24.1"`
	`164`	`+ ],`
`156`	`165`	`"ja4.ja4ls": [`
`157`	`166`	`"7166_41_387249"`
	`167`	`+ ],`
	`168`	`+ "ja4.ja4ls_delta": [`
	`169`	`+ "54"`
`158`	`170`	`]`
`159`	`171`	`}`
`160`	`172`	`}`
`@@ -241,8 +253,14 @@`
`241`	`253`	`"ja4.ja4l": [`
`242`	`254`	`"78_128_150466"`
`243`	`255`	`],`
	`256`	`+ "ja4.ja4l_delta": [`
	`257`	`+ "1929.1"`
	`258`	`+ ],`
`244`	`259`	`"ja4.ja4ls": [`
`245`	`260`	`"2948_229_14055"`
	`261`	`+ ],`
	`262`	`+ "ja4.ja4ls_delta": [`
	`263`	`+ "4.8"`
`246`	`264`	`]`
`247`	`265`	`}`
`248`	`266`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,14 @@`
`81`	`81`	`"ja4.ja4l": [`
`82`	`82`	`"47_128_455044"`
`83`	`83`	`],`
	`84`	`+ "ja4.ja4l_delta": [`
	`85`	`+ "9579.9"`
	`86`	`+ ],`
`84`	`87`	`"ja4.ja4ls": [`
`85`	`88`	`"44840_117_48774"`
	`89`	`+ ],`
	`90`	`+ "ja4.ja4ls_delta": [`
	`91`	`+ "1.1"`
`86`	`92`	`]`
`87`	`93`	`}`
`88`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,14 @@`
`41`	`41`	`"ja4.ja4l": [`
`42`	`42`	`"94_128_5421"`
`43`	`43`	`],`
	`44`	`+ "ja4.ja4l_delta": [`
	`45`	`+ "57.4"`
	`46`	`+ ],`
`44`	`47`	`"ja4.ja4ls": [`
`45`	`48`	`"32_64_9660"`
	`49`	`+ ],`
	`50`	`+ "ja4.ja4ls_delta": [`
	`51`	`+ "297.2"`
`46`	`52`	`]`
`47`	`53`	`}`
`48`	`54`	`}`
`@@ -104,8 +110,14 @@`
`104`	`110`	`"ja4.ja4l": [`
`105`	`111`	`"14_64_115"`
`106`	`112`	`],`
	`113`	`+ "ja4.ja4l_delta": [`
	`114`	`+ "8.2"`
	`115`	`+ ],`
`107`	`116`	`"ja4.ja4ls": [`
`108`	`117`	`"4171_116_8099"`
	`118`	`+ ],`
	`119`	`+ "ja4.ja4ls_delta": [`
	`120`	`+ "1.9"`
`109`	`121`	`]`
`110`	`122`	`}`
`111`	`123`	`}`
`@@ -182,8 +194,14 @@`
`182`	`194`	`"ja4.ja4l": [`
`183`	`195`	`"12_64_230"`
`184`	`196`	`],`
	`197`	`+ "ja4.ja4l_delta": [`
	`198`	`+ "19.2"`
	`199`	`+ ],`
`185`	`200`	`"ja4.ja4ls": [`
`186`	`201`	`"3169_116_7225"`
	`202`	`+ ],`
	`203`	`+ "ja4.ja4ls_delta": [`
	`204`	`+ "2.3"`
`187`	`205`	`]`
`188`	`206`	`}`
`189`	`207`	`}`