ThreatRelayThreatRelay
JA4+ Network Fingerprinting

Identify Threats at the Protocol Level

FoxIO Labs provides cutting-edge education, training, and hands-on labs in JA4+ network fingerprinting -- the methods used by Fortune 500 companies including Microsoft, Amazon, and Google to detect bots, proxies, and hacking tools.

Inbound Detection GuideStart Labs

19

Fingerprint Methods

500+

Fortune Companies

Open

Source Core

JA4+ Network Fingerprinting Explained

Watch John Althouse, creator of JA3 and JA4+, explain how protocol-level fingerprinting identifies threats that traditional methods miss.

Presented by John Althouse, creator of JA3 and JA4+

What JA4+ Detects

Residential Proxies

Per-session identification of traffic traversing residential proxy networks

Bots & Hacking Tools

Detect intercepting proxies like Evilginx, Sliver C2, and spoofed User-Agents

VPN Fingerprinting

Identify VPN technologies by MSS overhead -- OpenVPN, WireGuard, NordVPN

Client Geolocation

Estimate client-to-server distance using light-speed latency measurements

Full Detection Guide

The JA4+ Fingerprinting Suite

A comprehensive set of network fingerprinting methods maintained full-time by FoxIO

MethodShort NameDescriptionStatus
JA4JA4TLS Client FingerprintingActive
JA4ServerJA4STLS Server Response / Session FingerprintingActive
JA4HTTPJA4HHTTP Client FingerprintingActive
JA4LatencyJA4LClient to Server Latency / Light DistanceActive
JA4LatencyServerJA4LSServer to Client Latency / Light DistanceActive
JA4X509JA4XX509 TLS Certificate FingerprintingActive
JA4SSHJA4SSHSSH Traffic FingerprintingActive
JA4TCPJA4TTCP Client FingerprintingActive
JA4TCPServerJA4TSTCP Server Response FingerprintingActive
JA4TCPScanJA4TScanActive TCP Fingerprint ScannerActive
JA4DHCPJA4DDHCP FingerprintingActive
JA4DHCPv6JA4D6DHCPv6 FingerprintingActive
JA4ScanJA4ScanActive TLS Server Fingerprint ScannerIn Dev
JA4EmailJA4EEmail Header FingerprintingIn Dev
JA4HTTPServerJA4HSHTTP Server Response FingerprintBacklog
JA4WiFiJA4WWireless Client FingerprintBacklog
JA4BGPJA4BBGP FingerprintingBacklog
JA4IPv6JA46IPv6 FingerprintingBacklog
View on GitHubJA4 Database

Inbound Threat Detection

Use JA4+ to identify inbound bots, fraud, hacking tools, session hijacking, and proxied traffic at the protocol level

Proxy Detection
Detect residential proxied traffic on a per-session basis by analyzing JA4T, JA4L, and User-Agent discrepancies. Identify when the proxy OS does not match the claimed client OS.

Example: Proxied Connection

JA4T: 65535_2-4-8-1-3_1460_4

Claimed Windows, but JA4T = Android

Bot & Tool Detection
Browsers include ALPN in TLS ClientHello (JA4_a ends in h1/h2/h3). Non-browsers end in 00. Browsers prefer HTTP/2+ and list accept-language. Bots and hacking tools do not.

Example: Evilginx detected

JA4H: ge10nn100000

No language, HTTP/1.0 = not a browser

VPN Fingerprinting
VPN overhead reduces MSS by a fixed amount. A JA4T_c (MSS) below 1300 indicates VPN traffic. Specific JA4T fingerprints identify WireGuard, OpenVPN, NordVPN, and iCloud Relay.

Example: WireGuard detected

JA4T: 65340_2-1-3-1-1-4_1210_8

MSS=1210 < 1300 = VPN overhead

Light Distance / Geolocation
JA4L measures latency in microseconds between the TCP and application handshakes to estimate physical distance. Formula: D = jc/p where c = 0.128 miles per microsecond in fiber.

Example: Proxy distance

JA4L: 5191_42_45014

Proxy 415mi, Client 3,185mi away

OS Identification
Identify client operating systems passively using TCP window scale options and observed TTL values, independent of User-Agent strings which are easily spoofed.

JA4T TCP Options

*_2-1-3-1-1-4_* = Windows

*_2-4-8-1-3_* = Linux

Session Hijacking
Intercepting proxies like Evilginx initiate all communication to the server. All fingerprints observed server-side become the proxy program fingerprint, exposing the attack.

Example: Sliver C2

UA: Safari/macOS but JA4T=Windows

JA4H reveals GoLang, not Safari

Read the Full Detection Guide

Hands-On Labs

Practice fingerprinting with interactive labs covering beginner to advanced topics

Beginner
JA4 - TLS Client
Learn the a_b_c format and TLS ClientHello fingerprinting
Intermediate
JA4H - HTTP Client
Fingerprint HTTP clients and detect spoofed User-Agents
Intermediate
JA4T - TCP Client
TCP fingerprinting for OS identification and VPN detection
Beginner
JA4S - TLS Server
Server response fingerprinting and session analysis
Advanced
JA4SSH - SSH Traffic
Identify interactive vs automated SSH sessions
Beginner
Wireshark Plugin
Install and use the JA4+ Wireshark dissector
View All Tutorials

Resources & Additional Information

Programming guides, databases, tools, and required reading for understanding JA4+

Required Reading
JA4+ Network FingerprintingJA4T TCP FingerprintingInvestigating SurfShark & NordVPN
Programming Guides
JA4 Programming GuideJA4H - HTTP FingerprintingJA4T - TCP FingerprintingJA4L - Light Distance
Video Presentation

JA4+ Network Fingerprinting

John Althouse - YouTube

Tools & Databases
JA4+ Fingerprint DatabaseGitHub RepositoryJA4+ Cheat Sheet

Join the Community

Connect with cybersecurity professionals, researchers, and educators using JA4+ worldwide

GitHubContact FoxIO

Share this resource