Add ja4l_delta to Zeek conn logs#295
Merged
Merged
Conversation
* Clean up some field names so it's a bit more clear what's going on * Fix typo
* feat: add ja4l_delta and ja4ls_delta to Zeek conn log This commit adds `ja4l_delta` and `ja4ls_delta` to `Conn::Info` for JA4L in Zeek. The values calculate the time ratio between server response times and client response times during TCP handshake. For QUIC connections, they default to "1.0". Division by zero scenarios or situations where timestamps are not populated (0.0) correctly omit output. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> * feat: add ja4l_delta and ja4ls_delta to Zeek conn log This commit adds `ja4l_delta` and `ja4ls_delta` to `Conn::Info` for JA4L in Zeek. The values calculate the time ratio between server response times and client response times during TCP handshake. For QUIC connections, they default to "1.0". Division by zero scenarios or situations where timestamps are not populated (0) correctly omit output. Added test cases for QUIC and TLS3 to verify JA4L delta behavior. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> * fix: address PR review feedback on JA4L deltas - Moved assignment of ja4l and ja4ls inside the c$fp and c$fp$ja4l check - Replaced 0.0 with 0 since 0 is the default field value for JA4L timestamps - Added quic-with-several-tls-frames.pcapng and tls3.pcapng to btest scripts - Updated test baselines Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> * fix: address PR review feedback on JA4L deltas - Moved assignment of ja4l and ja4ls inside the c$fp and c$fp$ja4l check - Replaced 0.0 with 0 since 0 is the default field value for JA4L timestamps - Added chrome-cloudflare-quic-with-secrets.pcapng and tls3.pcapng to btest scripts - Updated test baselines Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --------- Co-authored-by: J0eJ0h <16658048+J0eJ0h@users.noreply.github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
vlvkobal
requested changes
Apr 29, 2026
Remove trailing whitespace Co-authored-by: Vladimir Kobal <vlvkobal@gmail.com>
vlvkobal
approved these changes
May 1, 2026
Member
|
Thank you @J0eJ0h! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.