Fix JA4+ fields not showing in Wireshark custom columns#297
Merged
Conversation
Member
Author
|
@Boolean263 could you please take a look and test this? Do you think this is safe to merge? |
Contributor
|
It seems good to me! |
Member
Author
|
Thanks, David! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #269
Summary
This PR fixes JA4+ fields not appearing in Wireshark custom columns,
tshark -T fields, and display filters.The fingerprints were already computed correctly and shown in the Packet Details pane, but the same fields could be empty when accessed through non-visible packet trees used by columns and field extraction.
What was wrong
The JA4+ plugin is a post-dissector. It computes fingerprints, caches them, and re-adds them to the packet tree on later dissection passes.
When replaying cached values, the plugin wraps them in a
ja4subtree. In Wireshark’s visible packet tree, used by the Packet Details pane, that wrapper is a normal real node. But for custom columns,-T fields, and display filters, Wireshark uses a stripped-down non-visible tree where unreferenced protocol nodes can be represented as fake placeholders.The old code treated a fake
ja4wrapper as a hard failure, so it returned before adding the actual JA4+ leaf fields, leaving custom columns and field extraction empty.Fix
The replay path now keeps going when the
ja4wrapper is fake. The referenced JA4+ leaf fields, such asja4.ja4s, are still materialized by Wireshark and can be used by custom columns,-T fields, and display filters.The change also falls back to the root tree if the expected host protocol subtree cannot be found in a non-visible tree.
Tests
Added regression coverage for the broken paths:
-Y ja4tshark -T fields -e ja4.<field>without-Y ja4