About JA4+

The JA4+ suite is an open-source collection of network fingerprinting methods created by FoxIO. Building on the foundation of JA3, JA4+ provides human-readable, machine-sortable fingerprints across TLS, HTTP, TCP, SSH, and X.509 certificates for comprehensive network visibility.

The JA4+ Fingerprint Suite

JA4

TLS Client Fingerprinting

Fingerprints TLS ClientHello messages to identify client applications.

JA4S

TLS Server Fingerprinting

Fingerprints TLS ServerHello responses to identify server configurations.

JA4H

HTTP Client Fingerprinting

Fingerprints HTTP clients by analyzing header ordering and values.

JA4L

Light Distance / Latency

Measures client-to-server latency for geolocation and anomaly detection.

JA4X

X.509 Certificate Fingerprinting

Fingerprints X.509 TLS certificates for issuer identification.

JA4SSH

SSH Traffic Analysis

Classifies SSH sessions by packet length patterns.

JA4T

TCP Client Fingerprinting

Fingerprints TCP SYN packets for passive OS identification.

JA4TS

TCP Server Fingerprinting

Fingerprints TCP SYN-ACK responses for server OS identification.

JA4TScan

TCP Scan Detection

Detects network scanners via TCP fingerprint anomalies.

Key Principles

Human-Readable

JA4+ fingerprints contain readable metadata (protocol, version, counts) making them immediately useful without lookup.

Machine-Sortable

The structured a_b_c format enables sorting, grouping, and filtering in SIEMs, databases, and analysis tools.

Open Source

All JA4+ specifications, tools, and plugins are open source under the FoxIO License, free for internal use.

Multi-Protocol

Unlike single-protocol fingerprinters, JA4+ covers TLS, HTTP, TCP, SSH, and X.509 in one consistent format.

Resources

GitHub Repository

Source code, specifications, and tools.

View on GitHub

JA4 Database

Look up known fingerprints and their associated applications.

Visit JA4DB

Start Learning

Share this page