Beginner10 min

Wireshark JA4+ Plugin Setup

Install the official JA4+ plugin for Wireshark to add JA4, JA4S, JA4H, JA4T, JA4TS, JA4X, and JA4SSH fingerprint columns directly in your packet analysis workflow.

Prerequisites

Wireshark 4.0+ installed

Installation

Download the Plugin

The JA4+ Wireshark plugin is available from the FoxIO GitHub repository:

Clone and install

# Clone the JA4 repository
git clone https://github.com/FoxIO-LLC/ja4
cd ja4/wireshark

# Copy the plugin to your Wireshark plugins directory
# macOS:
cp ja4.lua ~/.local/lib/wireshark/plugins/

# Linux:
cp ja4.lua ~/.local/lib/wireshark/plugins/

# Windows:
# Copy ja4.lua to %APPDATA%\Wireshark\plugins\

Verify Installation

Check the plugin loaded

# In Wireshark: Help > About Wireshark > Plugins tab
# You should see ja4.lua listed

# Or test with tshark:
tshark -r test.pcap -T fields -e ja4.hash -c 1

Restart Required

After copying the plugin file, restart Wireshark for the plugin to load.

Adding JA4 Columns

Add JA4+ fingerprint columns to Wireshark for at-a-glance fingerprint visibility:

Step 1: Open Column Preferences

Go to Edit > Preferences > Appearance > Columns

Step 2: Add Custom Columns

Add these custom columns with type "Custom":

Title: JA4 | Fields: ja4.hash

Title: JA4S | Fields: ja4s.hash

Title: JA4H | Fields: ja4h.hash

Title: JA4T | Fields: ja4t.hash

Title: JA4X | Fields: ja4x.hash

Title: JA4SSH | Fields: ja4ssh.hash

Step 3: Apply and Verify

Click OK, then open a pcap with TLS traffic. You should see fingerprints populating in the new columns for ClientHello, ServerHello, HTTP, and TCP packets.

Useful Display Filters

JA4+ display filters

# Show packets with any JA4 fingerprint
ja4.hash

# Filter specific client fingerprint
ja4.hash == "t13d1516h2_8daaf6152771_02713d6af862"

# Show only TLS 1.3 clients
ja4.hash matches "^t13"

# Find HTTP/2 clients
ja4.hash matches "h2$"

# Show server responses
ja4s.hash

# Find specific HTTP client behavior
ja4h.hash

# Show SSH fingerprints
ja4ssh.hash

# Combine filters
ja4.hash && ja4s.hash  # Show complete handshakes

tshark Quick Reference

tshark JA4+ commands

# All JA4+ fingerprints from a pcap
tshark -r capture.pcap -T fields \
  -e frame.number -e ip.src -e ip.dst \
  -e ja4.hash -e ja4s.hash -e ja4h.hash \
  -e ja4t.hash -e ja4ssh.hash \
  -E separator=, -E header=y > ja4_report.csv

# Live capture with JA4
tshark -i eth0 -f "tcp port 443" \
  -T fields -e ip.src -e ja4.hash -l

# Export for analysis
tshark -r capture.pcap -Y "ja4.hash" \
  -T json > ja4_analysis.json

Setup Complete

Your Wireshark is now JA4+ ready. Open any pcap and start fingerprinting traffic. Return to the Quick Labs index to continue with individual fingerprint type labs.