JA4L - Light Distance Fingerprinting
JA4L measures the latency between the TCP handshake and the first application data packet to estimate the physical distance between client and server. This helps identify when clients are using VPNs or proxies to spoof their location.
Prerequisites
- Understanding of TCP 3-way handshake
- Basic Wireshark/tshark usage
What is JA4L?
JA4L calculates latency in microseconds between the server's SYN-ACK and the client's first application data packet (e.g., a TLS ClientHello or HTTP GET). Because data travels through fiber optic cables at roughly 2/3 the speed of light in a vacuum, this latency can be converted into an estimated physical distance.
JA4L Format
The JA4L format is typically represented by the latency in microseconds.
# Latency: 45000 microseconds (45ms)
# Distance = (45000 * 0.124) / 2 = 2790 miles
Using JA4L to Detect Proxies
When a client connects through a proxy, you can often see a discrepancy between the claimed location (e.g., from GeoIP) and the actual distance measured by JA4L. If an IP is registered in New York, but JA4L indicates a distance of 5,000 miles, the client is likely using a proxy or VPN.
Hands-On Exercise
Step 1: Capture a TCP Connection
tshark -i eth0 -f "tcp port 443" -w latency_capture.pcap -c 50Step 2: Analyze Latency
Using Wireshark with the JA4+ plugin, look at the JA4L column. Note the latency in microseconds.
Step 3: Estimate Distance
Multiply the microsecond value by 0.124 and divide by 2 (for round trip) to estimate the physical distance in miles. Compare this to the GeoIP location of the client IP.