JA4 - TLS Client Fingerprinting
JA4 is the next generation of TLS client fingerprinting, building upon JA3 with a more readable, sortable, and shareable format. Learn how JA4 generates unique fingerprints from TLS ClientHello messages.
Prerequisites
- Basic understanding of TLS/SSL handshakes
- Wireshark or tshark installed
What is JA4?
JA4 is a TLS client fingerprinting method that creates a unique identifier based on the TLS ClientHello message. Unlike its predecessor JA3, which produces a single MD5 hash, JA4 uses a human-readable format divided into three sections (a_b_c) that makes fingerprints sortable, shareable, and easier to analyze.
JA4 Fingerprint Format
A JA4 fingerprint consists of three parts separated by underscores:
t13d1516h2
a section
Protocol, version, SNI, cipher count, extension count, ALPN
8daaf6152771
b section
Truncated SHA-256 of sorted cipher suites
02713d6af862
c section
Truncated SHA-256 of sorted extensions + signature algorithms
Section A - Readable Metadata
The first section is human-readable and contains:
tProtocol: t for TCP/TLS, q for QUIC13TLS version: 13 = TLS 1.3, 12 = TLS 1.2, etc.dSNI: d = domain present, i = IP only15Number of cipher suites (2 digit, padded)16Number of extensions (2 digit, padded)h2ALPN first and last char: h2 = HTTP/2
Section B - Cipher Suite Hash
The cipher suites from the ClientHello are sorted in hexadecimal order, joined with commas, then hashed with SHA-256. Only the first 12 characters of the hash are used.
# Original order from ClientHello:
1301,1302,1303,c02c,c02b,c030,c02f,cca9,cca8
# Sorted:
1301,1302,1303,c02b,c02c,c02f,c030,cca8,cca9
# SHA-256 hash (first 12 chars):
8daaf6152771Section C - Extension + Signature Hash
Extensions are sorted, joined with commas, then the signature algorithms are appended after an underscore. The combined string is SHA-256 hashed and truncated to 12 characters.
# Sorted extensions + signature algorithms:
0005,000a,000b,000d,0017,0023,002b,002d,0033,ff01_0401,0501,0601,0201,0301
# SHA-256 hash (first 12 chars):
02713d6af862Using JA4 with Wireshark
The JA4+ Wireshark plugin adds JA4 fingerprint columns directly to your packet analysis workflow.
Display Filter Examples
# Filter for specific JA4 fingerprint
ja4.hash == "t13d1516h2_8daaf6152771_02713d6af862"
# Filter by JA4 'a' section only (partial match)
ja4.hash contains "t13d"
# Show only TLS 1.3 clients
ja4.hash matches "^t13"
# Show clients without SNI (IP-only connections)
ja4.hash matches "^t..i"Using tshark
# Extract JA4 fingerprints from a pcap
tshark -r capture.pcap -Y "tls.handshake.type == 1" \
-T fields -e ip.src -e ip.dst -e ja4.hash
# Count unique JA4 fingerprints
tshark -r capture.pcap -Y "tls.handshake.type == 1" \
-T fields -e ja4.hash | sort | uniq -c | sort -rn
# Export with timestamps
tshark -r capture.pcap -Y "tls.handshake.type == 1" \
-T fields -e frame.time -e ip.src -e ja4.hashCommon JA4 Fingerprints
Here are some well-known JA4 fingerprints and what they identify:
t13d1516h2_8daaf6152771_02713d6af862t13d1517h2_a09f3c656075_1e2b2c1504b9t13d0909h1_fcb2e1b24f03_de54ab0e8564t12d1010h1_c40f3c9a2bc3_e8821e9d3f7aHands-On Exercise
Practice generating and analyzing JA4 fingerprints with these steps:
Step 1: Capture TLS Traffic
tshark -i eth0 -f "tcp port 443" -w tls_capture.pcap -c 100Step 2: Extract JA4 Fingerprints
tshark -r tls_capture.pcap -Y "tls.handshake.type == 1" \
-T fields -e ip.src -e tls.handshake.extensions_server_name -e ja4.hashStep 3: Look Up Fingerprints
Compare your JA4 fingerprints against the JA4 database at ja4db.com to identify the applications generating the traffic.
Step 4: Analyze Results
Look for patterns: Are there unusual fingerprints? Do any match known malware signatures? Compare the "a" section to quickly group clients by TLS version and cipher count.