You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. If a hashed field is empty, the output is 000s instead of a hash of an empty field. This is more conducive for analysis.
1. JA4+ fingerprints are split into an a_b_c format. If one wants to search just the c section of JA4H, that is represented as 'JA4H_c'. Just sections a and b of JA4H would be 'JA4H_ab'. All sections of JA4H is represented as 'JA4H'.
2. All hex values used to generate fingerprint hashes are in lowercase hex.
3. All fingerprint outputs are lowercase. In the case of JA4_a, it's a lowercase string, JA4_bc is lowercase hex, and so on.
4. '_r' denotes a raw, unhashed fingerprint. '_ro' denotes a raw, unhashed fingerprint in its original ordering (not sorted). So a raw ja4 fingerprint is represented as 'ja4_r'.
5. If a hashed section is empty, the output is 000000000000 instead of a hash of an empty section. This is more conducive for analysis.
6. If a search only contains the first two sections of a fingerprint, for example JA4H=ge11cn060000_4e59edc1297a, that is an implied * at the end of the fingerprint as the fingerprint generating tool would output all fields, for example JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd_000000000000.
7.
### License
See [Licensing](https://github.com/FoxIO-LLC/ja4/tree/main#licensing) in the repo root. We are commited to work with vendors and open source projects to help implement JA4+ into those tools. Please contact [email protected] with any questions.
