JA4T - TCP Client Fingerprinting
JA4T fingerprints TCP clients by analyzing the SYN packet's window size, TCP options, and Maximum Segment Size (MSS). These values are set by the operating system's TCP/IP stack, making JA4T an effective OS fingerprinting tool.
Prerequisites
- Understanding of TCP three-way handshake
- JA4 lab completed
What is JA4T?
JA4T creates a fingerprint from the first TCP SYN packet of a connection. The TCP window size, options (MSS, window scale, SACK, timestamps), and their ordering are determined by the client's operating system kernel, not the application. This makes JA4T difficult to spoof without kernel-level changes.
JA4T Format
65535
Window Size
TCP window size from SYN packet
2-1-3-1-1-8
TCP Options
TCP option kinds in order
1460
MSS
Maximum Segment Size value
8
Window Scale
Window scaling factor
TCP Options Decoded
2- MSS (Maximum Segment Size)1- NOP (No-Operation padding)3- Window Scale4- SACK Permitted8- Timestamps
Common OS Fingerprints
65535_2-1-3-1-1-8_1460_865535_2-4-8-1-3_1460_765535_2-1-3-1-1-8_1460_614600_2-4-8-1-3_1460_7Using JA4T
# Extract JA4T fingerprints
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
-T fields -e ip.src -e ja4t.hash
# Count OS fingerprints on your network
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
-T fields -e ja4t.hash | sort | uniq -c | sort -rn
# Compare claimed User-Agent OS vs actual TCP OS
tshark -r capture.pcap \
-T fields -e ip.src -e ja4t.hash -e http.user_agentHands-On Exercise
Step 1: Capture SYN Packets
tshark -i eth0 -f "tcp[tcpflags] & tcp-syn != 0" -w syn_capture.pcap -c 100Step 2: Extract and Group
tshark -r syn_capture.pcap \
-Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
-T fields -e ip.src -e tcp.window_size_value -e tcp.options -e ja4t.hashStep 3: Identify Operating Systems
Compare your extracted JA4T fingerprints against the known OS fingerprint table above. Look for any unexpected OS types on your network.