Skip to content

Fix JA4L TCP packet selection in Wireshark plugin#294

Merged
vlvkobal merged 1 commit into
FoxIO-LLC:mainfrom
vlvkobal:fix-wireshark-ja4l
Apr 20, 2026
Merged

Fix JA4L TCP packet selection in Wireshark plugin#294
vlvkobal merged 1 commit into
FoxIO-LLC:mainfrom
vlvkobal:fix-wireshark-ja4l

Conversation

@vlvkobal

Copy link
Copy Markdown
Member

Summary

This updates the Wireshark JA4 dissector so TCP JA4L follows the spec for timestamps D, E, and F.

Previously, the plugin guessed packet direction from port heuristics like srcport < 5000 / dstport < 5000 and only treated exact PSH, ACK packets as application data. That could pick the wrong E packet, even though the spec defines E as the first server application packet.

Changes

  • Track client and server roles from the TCP handshake
  • Pick D, E, and F based on real connection direction
  • Treat application packets as any TCP packets with payload (tcp.len > 0), not just exact PSH, ACK
  • Remove the unnecessary private Wireshark header include

Why

Per the JA4L spec:

  • D as the first client application packet after the TCP handshake
  • E as the first server application packet after D
  • F as the first client application packet after E

This change makes the plugin match that behavior.

@vlvkobal vlvkobal merged commit 34c1c51 into FoxIO-LLC:main Apr 20, 2026
1 check passed
@vlvkobal vlvkobal deleted the fix-wireshark-ja4l branch April 20, 2026 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant