Skip to content

Add ja4l_delta to Zeek conn logs#295

Merged
vlvkobal merged 5 commits into
FoxIO-LLC:mainfrom
J0eJ0h:jojoh/ja4l_delta
May 1, 2026
Merged

Add ja4l_delta to Zeek conn logs#295
vlvkobal merged 5 commits into
FoxIO-LLC:mainfrom
J0eJ0h:jojoh/ja4l_delta

Conversation

@J0eJ0h

@J0eJ0h J0eJ0h commented Apr 28, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

J0eJ0h and others added 2 commits April 28, 2026 11:19
* Clean up some field names so it's a bit more clear what's going on

* Fix typo
* feat: add ja4l_delta and ja4ls_delta to Zeek conn log

This commit adds `ja4l_delta` and `ja4ls_delta` to `Conn::Info` for JA4L in Zeek.
The values calculate the time ratio between server response times and client response times during TCP handshake.
For QUIC connections, they default to "1.0".
Division by zero scenarios or situations where timestamps are not populated (0.0) correctly omit output.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* feat: add ja4l_delta and ja4ls_delta to Zeek conn log

This commit adds `ja4l_delta` and `ja4ls_delta` to `Conn::Info` for JA4L in Zeek.
The values calculate the time ratio between server response times and client response times during TCP handshake.
For QUIC connections, they default to "1.0".
Division by zero scenarios or situations where timestamps are not populated (0) correctly omit output.
Added test cases for QUIC and TLS3 to verify JA4L delta behavior.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* fix: address PR review feedback on JA4L deltas

- Moved assignment of ja4l and ja4ls inside the c$fp and c$fp$ja4l check
- Replaced 0.0 with 0 since 0 is the default field value for JA4L timestamps
- Added quic-with-several-tls-frames.pcapng and tls3.pcapng to btest scripts
- Updated test baselines

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

* fix: address PR review feedback on JA4L deltas

- Moved assignment of ja4l and ja4ls inside the c$fp and c$fp$ja4l check
- Replaced 0.0 with 0 since 0 is the default field value for JA4L timestamps
- Added chrome-cloudflare-quic-with-secrets.pcapng and tls3.pcapng to btest scripts
- Updated test baselines

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

---------

Co-authored-by: J0eJ0h <16658048+J0eJ0h@users.noreply.github.com>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Comment thread zeek/ja4l/main.zeek Outdated
Comment thread zeek/ja4l/main.zeek Outdated
J0eJ0h and others added 3 commits April 29, 2026 14:14
Remove trailing whitespace

Co-authored-by: Vladimir Kobal <vlvkobal@gmail.com>
@J0eJ0h J0eJ0h requested a review from vlvkobal April 30, 2026 17:20
@vlvkobal vlvkobal merged commit aa86239 into FoxIO-LLC:main May 1, 2026
1 check passed
@vlvkobal

vlvkobal commented May 1, 2026

Copy link
Copy Markdown
Member

Thank you @J0eJ0h!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants