Add ja4l_delta and ja4ls_delta derived fields to JA4 wireshark plugin by vlvkobal · Pull Request #245 · FoxIO-LLC/ja4

vlvkobal · 2025-08-05T17:52:19Z

This PR adds two numeric fields to the JA4 Wireshark dissector:

They are computed only when the _c value is numeric and exported for use in filters, columns, and JSON output.

Example (tshark):

ja4.ja4l = 2177_64_114732
ja4.ja4l_delta = 52.7
ja4.ja4ls = 781_238_9107
ja4.ja4ls_delta = 11.7

Also includes a minor documentation update mentioning JA4D.

vlvkobal added 3 commits August 5, 2025 19:30

Add JA4L delta

609b205

Add JA4D to the documentation

90f4457

Use FT_DOUBLE for delta fields

5ed07f4

vlvkobal requested a review from igr001-galactica August 7, 2025 10:27

igr001-galactica merged commit 5672966 into FoxIO-LLC:main Aug 7, 2025
5 checks passed

vlvkobal deleted the ja4l-delta branch August 8, 2025 11:27

Provide feedback