FoxIO-LLC · igr001-galactica · Aug 7, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 7, 2025
diff --git a/wireshark/README.md b/wireshark/README.md
@@ -168,6 +168,7 @@ JA4+ fields are found under `ja4.*` in Wireshark. These fields represent differe
 | **JA4SSH** (SSH Traffic) | `ja4.ja4ssh` |
 | **JA4T** (TCP Client) | `ja4.ja4t` |
 | **JA4TS** (TCP Server) | `ja4.ja4ts` |
+| **JA4D** (DHCP) | `ja4.ja4d` |
 
 ### Adding JA4+ Columns in Wireshark
 
@@ -202,6 +203,7 @@ Alternatively, you can manually modify Wireshark's **preferences file** using a
    "JA4LS", "%Cus:ja4.ja4ls:0:R",
    "JA4X", "%Cus:ja4.ja4x:0:R",
    "JA4SSH", "%Cus:ja4.ja4ssh:0:R"
+   "JA4D", "%Cus:ja4.ja4d:0:R"
    ```
 
 3. Save the file and restart Wireshark.

diff --git a/wireshark/source/packet-ja4.c b/wireshark/source/packet-ja4.c
@@ -65,7 +65,9 @@ static int hf_ja4h = -1;
 static int hf_ja4h_raw = -1;
 static int hf_ja4h_raw_original = -1;
 static int hf_ja4l = -1;
+static int hf_ja4l_delta = -1;
 static int hf_ja4ls = -1;
+static int hf_ja4ls_delta = -1;
 static int hf_ja4ssh = -1;
 static int hf_ja4t = -1;
 static int hf_ja4ts = -1;
@@ -282,7 +284,7 @@ proto_tree *locate_tree(proto_tree *tree, const char *s) {
 
 void update_tree_item(
     tvbuff_t *tvb, proto_tree *tree, proto_tree **ja4_tree, int field,
-    const char *str, const char *insert_at
+    const void *data, const char *insert_at
 ) {
 
     // We get to the right part of the tree using locate_tree and insert the
@@ -300,7 +302,12 @@ void update_tree_item(
         *ja4_tree = proto_item_add_subtree(ja4_ti, ett_ja4);
     }
 
-    proto_tree_add_string(*ja4_tree, field, NULL, 0, 0, str);
+    enum ftenum type = proto_registrar_get_ftype(field);
+    if (type == FT_STRING) {
+        proto_tree_add_string(*ja4_tree, field, NULL, 0, 0, (const char *)data);
+    } else if (type == FT_DOUBLE) {
+        proto_tree_add_double(*ja4_tree, field, NULL, 0, 0, *(const double *)data);
+    }
 }
 
 void update_mode(int pkt_len, wmem_map_t *hash_table) {
@@ -1190,6 +1197,13 @@ static int dissect_ja4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
                                         wmem_strbuf_finalize(display), "tcp"
                                     );
 
+                                    double delta = (double)latency2.nsecs / (double)latency.nsecs;
+                                    delta = round(delta * 10.0) / 10.0;
+                                    update_tree_item(
+                                        tvb, tree, &ja4_tree, hf_ja4ls_delta,
+                                        &delta, "tcp"
+                                    );
+
                                     nstime_delta(&latency, &conn->timestamp_C, &conn->timestamp_B);
                                     nstime_delta(&latency2, &conn->timestamp_F, &conn->timestamp_E);
                                     wmem_strbuf_append_printf(
@@ -1200,6 +1214,13 @@ static int dissect_ja4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
                                         tvb, tree, &ja4_tree, hf_ja4l,
                                         wmem_strbuf_finalize(display2), "tcp"
                                     );
+
+                                    double delta2 = (double)latency2.nsecs / (double)latency.nsecs;
+                                    delta2 = round(delta2 * 10.0) / 10.0;
+                                    update_tree_item(
+                                        tvb, tree, &ja4_tree, hf_ja4l_delta,
+                                        &delta2, "tcp"
+                                    );
                                 }
                             }
                         }
@@ -1489,7 +1510,11 @@ void proto_register_ja4(void) {
         {&hf_ja4h_raw_original,
          {"JA4H Raw (Original)", "ja4.ja4h_ro", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}           },
         {&hf_ja4l,              {"JA4L", "ja4.ja4l", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}      },
+        {&hf_ja4l_delta,
+         {"JA4L Delta", "ja4.ja4l_delta", FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL}                 },
         {&hf_ja4ls,             {"JA4LS", "ja4.ja4ls", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}    },
+        {&hf_ja4ls_delta,
+         {"JA4LS Delta", "ja4.ja4ls_delta", FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL}               },
         {&hf_ja4ssh,            {"JA4SSH", "ja4.ja4ssh", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}  },
         {&hf_ja4t,              {"JA4T", "ja4.ja4t", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}      },
         {&hf_ja4ts,             {"JA4T-S", "ja4.ja4ts", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL}   },

diff --git a/wireshark/test/generate-output-files.sh b/wireshark/test/generate-output-files.sh
@@ -15,7 +15,9 @@ FIELDS="-Y ja4 -T json \
 -e ja4.ja4h_r \
 -e ja4.ja4h_ro \
 -e ja4.ja4l \
+-e ja4.ja4l_delta \
 -e ja4.ja4ls \
+-e ja4.ja4ls_delta \
 -e ja4.ja4ssh \
 -e ja4.ja4t \
 -e ja4.ja4ts \

diff --git a/wireshark/test/test_tshark_output.py b/wireshark/test/test_tshark_output.py
@@ -35,7 +35,9 @@ def test_tshark_output_matches_expected(pcap_file):
             "-e", "ja4.ja4h_r",
             "-e", "ja4.ja4h_ro",
             "-e", "ja4.ja4l",
+            "-e", "ja4.ja4l_delta",
             "-e", "ja4.ja4ls",
+            "-e", "ja4.ja4ls_delta",
             "-e", "ja4.ja4ssh",
             "-e", "ja4.ja4t",
             "-e", "ja4.ja4ts",

diff --git a/wireshark/test/testdata/badcurveball.pcap.json b/wireshark/test/testdata/badcurveball.pcap.json
@@ -79,8 +79,14 @@
         "ja4.ja4l": [
           "2177_64_114732"
         ],
+        "ja4.ja4l_delta": [
+          "52.7"
+        ],
         "ja4.ja4ls": [
           "781_238_9107"
+        ],
+        "ja4.ja4ls_delta": [
+          "11.7"
         ]
       }
     }

diff --git a/wireshark/test/testdata/browsers-x509.pcapng.json b/wireshark/test/testdata/browsers-x509.pcapng.json
@@ -67,8 +67,14 @@
         "ja4.ja4l": [
           "56_128_2870"
         ],
+        "ja4.ja4l_delta": [
+          "51.3"
+        ],
         "ja4.ja4ls": [
           "1907_112_343965"
+        ],
+        "ja4.ja4ls_delta": [
+          "180.3"
         ]
       }
     }
@@ -153,8 +159,14 @@
         "ja4.ja4l": [
           "73_128_1768"
         ],
+        "ja4.ja4l_delta": [
+          "24.1"
+        ],
         "ja4.ja4ls": [
           "7166_41_387249"
+        ],
+        "ja4.ja4ls_delta": [
+          "54"
         ]
       }
     }
@@ -241,8 +253,14 @@
         "ja4.ja4l": [
           "78_128_150466"
         ],
+        "ja4.ja4l_delta": [
+          "1929.1"
+        ],
         "ja4.ja4ls": [
           "2948_229_14055"
+        ],
+        "ja4.ja4ls_delta": [
+          "4.8"
         ]
       }
     }

diff --git a/wireshark/test/testdata/http2-with-cookies.pcapng.json b/wireshark/test/testdata/http2-with-cookies.pcapng.json
@@ -81,8 +81,14 @@
         "ja4.ja4l": [
           "47_128_455044"
         ],
+        "ja4.ja4l_delta": [
+          "9579.9"
+        ],
         "ja4.ja4ls": [
           "44840_117_48774"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.1"
         ]
       }
     }

diff --git a/wireshark/test/testdata/latest.pcapng.json b/wireshark/test/testdata/latest.pcapng.json
@@ -79,8 +79,14 @@
         "ja4.ja4l": [
           "62_128_930"
         ],
+        "ja4.ja4l_delta": [
+          "15"
+        ],
         "ja4.ja4ls": [
           "33804_227_35440"
+        ],
+        "ja4.ja4ls_delta": [
+          "1"
         ]
       }
     }
@@ -165,8 +171,14 @@
         "ja4.ja4l": [
           "57_128_2696"
         ],
+        "ja4.ja4l_delta": [
+          "47.3"
+        ],
         "ja4.ja4ls": [
           "7096_245_3800"
+        ],
+        "ja4.ja4ls_delta": [
+          "0.5"
         ]
       }
     }
@@ -300,8 +312,14 @@
         "ja4.ja4l": [
           "47_128_34471"
         ],
+        "ja4.ja4l_delta": [
+          "725.7"
+        ],
         "ja4.ja4ls": [
           "14207_43_18819"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.3"
         ]
       }
     }
@@ -374,8 +392,14 @@
         "ja4.ja4l": [
           "40_128_1829"
         ],
+        "ja4.ja4l_delta": [
+          "45.7"
+        ],
         "ja4.ja4ls": [
           "42103_109_42502"
+        ],
+        "ja4.ja4ls_delta": [
+          "1"
         ]
       }
     }
@@ -448,8 +472,14 @@
         "ja4.ja4l": [
           "61_128_1680"
         ],
+        "ja4.ja4l_delta": [
+          "27.3"
+        ],
         "ja4.ja4ls": [
           "53595_109_42401"
+        ],
+        "ja4.ja4ls_delta": [
+          "0.8"
         ]
       }
     }

diff --git a/wireshark/test/testdata/ssh-r.pcap.json b/wireshark/test/testdata/ssh-r.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "94_128_5421"
         ],
+        "ja4.ja4l_delta": [
+          "57.4"
+        ],
         "ja4.ja4ls": [
           "32_64_9660"
+        ],
+        "ja4.ja4ls_delta": [
+          "297.2"
         ]
       }
     }
@@ -104,8 +110,14 @@
         "ja4.ja4l": [
           "14_64_115"
         ],
+        "ja4.ja4l_delta": [
+          "8.2"
+        ],
         "ja4.ja4ls": [
           "4171_116_8099"
+        ],
+        "ja4.ja4ls_delta": [
+          "1.9"
         ]
       }
     }
@@ -182,8 +194,14 @@
         "ja4.ja4l": [
           "12_64_230"
         ],
+        "ja4.ja4l_delta": [
+          "19.2"
+        ],
         "ja4.ja4ls": [
           "3169_116_7225"
+        ],
+        "ja4.ja4ls_delta": [
+          "2.3"
         ]
       }
     }

diff --git a/wireshark/test/testdata/ssh-scp-1050.pcap.json b/wireshark/test/testdata/ssh-scp-1050.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "179_128_8921"
         ],
+        "ja4.ja4l_delta": [
+          "49.7"
+        ],
         "ja4.ja4ls": [
           "38_64_-496312"
+        ],
+        "ja4.ja4ls_delta": [
+          "-12891.2"
         ]
       }
     }

diff --git a/wireshark/test/testdata/ssh2-malformed.pcap.json b/wireshark/test/testdata/ssh2-malformed.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "7_64_480189"
         ],
+        "ja4.ja4l_delta": [
+          "64025.3"
+        ],
         "ja4.ja4ls": [
           "462_60_-480132"
+        ],
+        "ja4.ja4ls_delta": [
+          "-1038.1"
         ]
       }
     }

diff --git a/wireshark/test/testdata/ssh2-moloch-crash.pcap.json b/wireshark/test/testdata/ssh2-moloch-crash.pcap.json
@@ -41,8 +41,14 @@
         "ja4.ja4l": [
           "7_64_480189"
         ],
+        "ja4.ja4l_delta": [
+          "64025.3"
+        ],
         "ja4.ja4ls": [
           "462_60_-480132"
+        ],
+        "ja4.ja4ls_delta": [
+          "-1038.1"
         ]
       }
     }