diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d7ed5e8..461e3b8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,6 +28,15 @@ jobs: - uses: actions/checkout@v4 with: submodules: true + - name: Install tshark + # See https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable + run: | + sudo apt update + sudo apt -y install software-properties-common # provides `add-apt-repository` + sudo add-apt-repository --yes ppa:wireshark-dev/stable + sudo apt update + sudo apt -y install tshark + tshark --version - name: Install ${{ matrix.toolchain }} uses: dtolnay/rust-toolchain@master with: @@ -50,6 +59,15 @@ jobs: - uses: actions/checkout@v4 with: submodules: true + - name: Install tshark + # See https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable + run: | + sudo apt update + sudo apt -y install software-properties-common # provides `add-apt-repository` + sudo add-apt-repository --yes ppa:wireshark-dev/stable + sudo apt update + sudo apt -y install tshark + tshark --version - name: Install stable uses: dtolnay/rust-toolchain@stable - name: Install nightly for -Zminimal-versions @@ -70,8 +88,8 @@ jobs: # NOTE: Don't use GitHub-hosted macOS runners in a non-public repository -- # they consume CI/CD minutes like crazy; see # https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions#minute-multipliers - - windows-latest #- macos-latest + - windows-latest steps: - uses: actions/checkout@v4 with: diff --git a/.gitignore b/.gitignore index 40b79c0..ec5bb88 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/target +rust/target .DS_Store .vscode/ diff --git a/pcap/browsers-x509.pcapng b/pcap/browsers-x509.pcapng new file mode 100644 index 0000000..357b734 Binary files /dev/null and b/pcap/browsers-x509.pcapng differ diff --git a/pcap/chrome-cloudflare-quic-with-secrets.pcapng b/pcap/chrome-cloudflare-quic-with-secrets.pcapng new file mode 100644 index 0000000..4968365 Binary files /dev/null and b/pcap/chrome-cloudflare-quic-with-secrets.pcapng differ diff --git a/pcap/http1-with-cookies.pcapng b/pcap/http1-with-cookies.pcapng new file mode 100644 index 0000000..37cfb41 Binary files /dev/null and b/pcap/http1-with-cookies.pcapng differ diff --git a/pcap/http1.pcapng b/pcap/http1.pcapng new file mode 100644 index 0000000..e4e23bb Binary files /dev/null and b/pcap/http1.pcapng differ diff --git a/pcap/http2-with-cookies.pcapng b/pcap/http2-with-cookies.pcapng new file mode 100644 index 0000000..7237d48 Binary files /dev/null and b/pcap/http2-with-cookies.pcapng differ diff --git a/pcap/ipv6.pcapng b/pcap/ipv6.pcapng new file mode 100644 index 0000000..74bf35a Binary files /dev/null and b/pcap/ipv6.pcapng differ diff --git a/pcap/latest.pcapng b/pcap/latest.pcapng new file mode 100644 index 0000000..3ee5474 Binary files /dev/null and b/pcap/latest.pcapng differ diff --git a/pcap/quic-tls-handshake.pcapng b/pcap/quic-tls-handshake.pcapng new file mode 100644 index 0000000..5d9cd93 Binary files /dev/null and b/pcap/quic-tls-handshake.pcapng differ diff --git a/pcap/quic-with-several-tls-frames.pcapng b/pcap/quic-with-several-tls-frames.pcapng new file mode 100644 index 0000000..97e8925 Binary files /dev/null and b/pcap/quic-with-several-tls-frames.pcapng differ diff --git a/pcap/ssh-scp-1050.pcap b/pcap/ssh-scp-1050.pcap new file mode 100644 index 0000000..9fbc83c Binary files /dev/null and b/pcap/ssh-scp-1050.pcap differ diff --git a/pcap/ssh.pcapng b/pcap/ssh.pcapng new file mode 100644 index 0000000..a71c363 Binary files /dev/null and b/pcap/ssh.pcapng differ diff --git a/pcap/ssh2.pcapng b/pcap/ssh2.pcapng new file mode 100644 index 0000000..27748bb Binary files /dev/null and b/pcap/ssh2.pcapng differ diff --git a/pcap/tls-handshake.pcapng b/pcap/tls-handshake.pcapng new file mode 100644 index 0000000..8822715 Binary files /dev/null and b/pcap/tls-handshake.pcapng differ diff --git a/pcap/tls-sni.pcapng b/pcap/tls-sni.pcapng new file mode 100644 index 0000000..a6da906 Binary files /dev/null and b/pcap/tls-sni.pcapng differ diff --git a/pcap/tls3.pcapng b/pcap/tls3.pcapng new file mode 100644 index 0000000..f0f1604 Binary files /dev/null and b/pcap/tls3.pcapng differ diff --git a/rust/CHANGELOG.md b/rust/CHANGELOG.md index ad070da..12ab070 100644 --- a/rust/CHANGELOG.md +++ b/rust/CHANGELOG.md @@ -7,11 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.15.0] - 2023-10-08 + +### Added + +- Add capture files and expected output. + ## [0.14.0] - 2023-10-04 ### Added - Add Rust sources of `ja4` and `ja4x` CLI tools. -[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...HEAD +[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.0...HEAD +[0.15.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...v0.15.0 [0.14.0]: https://github.com/FoxIO-LLC/ja4/releases/tag/v0.14.0 diff --git a/rust/Cargo.lock b/rust/Cargo.lock index 65c72ef..58b86de 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -67,7 +67,7 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b" dependencies = [ - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -77,7 +77,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0238ca56c96dfa37bdf7c373c8886dd591322500aceeeccdb2216fe06dc2f796" dependencies = [ "anstyle", - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -160,6 +160,16 @@ dependencies = [ "generic-array", ] +[[package]] +name = "bstr" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6798148dccfbff0fae41c7574d2fa8f1ef3492fba0face179de5d8d447d67b05" +dependencies = [ + "memchr", + "serde", +] + [[package]] name = "cc" version = "1.0.83" @@ -272,6 +282,18 @@ dependencies = [ "toml", ] +[[package]] +name = "console" +version = "0.15.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c926e00cc70edefdc64d3a5ff31cc65bb97a3460097762bd23afb4d8145fccf8" +dependencies = [ + "encode_unicode", + "lazy_static", + "libc", + "windows-sys 0.45.0", +] + [[package]] name = "cpufeatures" version = "0.2.9" @@ -368,6 +390,12 @@ version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" +[[package]] +name = "encode_unicode" +version = "0.3.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f" + [[package]] name = "equivalent" version = "1.0.1" @@ -394,6 +422,12 @@ dependencies = [ "once_cell", ] +[[package]] +name = "fnv" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" + [[package]] name = "fs-err" version = "2.9.0" @@ -416,6 +450,19 @@ version = "0.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6fb8d784f27acf97159b40fc4db5ecd8aa23b9ad5ef69cdd136d3bc80665f0c0" +[[package]] +name = "globset" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "759c97c1e17c55525b57192c06a267cda0ac5210b222d6b82189a2338fa1c13d" +dependencies = [ + "aho-corasick", + "bstr", + "fnv", + "log", + "regex", +] + [[package]] name = "hashbrown" version = "0.14.1" @@ -451,6 +498,22 @@ dependencies = [ "serde", ] +[[package]] +name = "insta" +version = "1.33.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1aa511b2e298cd49b1856746f6bb73e17036bcd66b25f5e92cdcdbec9bd75686" +dependencies = [ + "console", + "globset", + "lazy_static", + "linked-hash-map", + "serde", + "similar", + "walkdir", + "yaml-rust", +] + [[package]] name = "itertools" version = "0.11.0" @@ -468,7 +531,7 @@ checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" [[package]] name = "ja4" -version = "0.14.0" +version = "0.15.0" dependencies = [ "clap", "color-eyre", @@ -478,6 +541,7 @@ dependencies = [ "fs-err", "hex", "indexmap", + "insta", "itertools", "ja4x", "owo-colors", @@ -495,7 +559,7 @@ dependencies = [ [[package]] name = "ja4x" -version = "0.14.0" +version = "0.15.0" dependencies = [ "clap", "color-eyre", @@ -524,6 +588,12 @@ version = "0.2.147" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" +[[package]] +name = "linked-hash-map" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" + [[package]] name = "log" version = "0.4.20" @@ -641,7 +711,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ae859aa07428ca9a929b936690f8b12dc5f11dd8c6992a18ca93919f28bc177" dependencies = [ "libc", - "windows-sys", + "windows-sys 0.48.0", ] [[package]] @@ -780,6 +850,15 @@ version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" +[[package]] +name = "same-file" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" +dependencies = [ + "winapi-util", +] + [[package]] name = "semver" version = "1.0.19" @@ -860,6 +939,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "similar" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2aeaf503862c419d66959f5d7ca015337d864e9c49485d771b732e2a20453597" + [[package]] name = "smallvec" version = "1.11.0" @@ -1087,6 +1172,16 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +[[package]] +name = "walkdir" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee" +dependencies = [ + "same-file", + "winapi-util", +] + [[package]] name = "winapi" version = "0.3.9" @@ -1103,19 +1198,52 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +[[package]] +name = "winapi-util" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" +dependencies = [ + "winapi", +] + [[package]] name = "winapi-x86_64-pc-windows-gnu" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +[[package]] +name = "windows-sys" +version = "0.45.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" +dependencies = [ + "windows-targets 0.42.2", +] + [[package]] name = "windows-sys" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" dependencies = [ - "windows-targets", + "windows-targets 0.48.5", +] + +[[package]] +name = "windows-targets" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" +dependencies = [ + "windows_aarch64_gnullvm 0.42.2", + "windows_aarch64_msvc 0.42.2", + "windows_i686_gnu 0.42.2", + "windows_i686_msvc 0.42.2", + "windows_x86_64_gnu 0.42.2", + "windows_x86_64_gnullvm 0.42.2", + "windows_x86_64_msvc 0.42.2", ] [[package]] @@ -1124,51 +1252,93 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", ] +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" + [[package]] name = "windows_aarch64_gnullvm" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +[[package]] +name = "windows_aarch64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +[[package]] +name = "windows_i686_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" + [[package]] name = "windows_i686_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +[[package]] +name = "windows_i686_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" + [[package]] name = "windows_i686_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +[[package]] +name = "windows_x86_64_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +[[package]] +name = "windows_x86_64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" @@ -1192,6 +1362,15 @@ dependencies = [ "time", ] +[[package]] +name = "yaml-rust" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56c1936c4cc7a1c9ab21a1ebb602eb942ba868cbd44a99cb7cdc5892335e1c85" +dependencies = [ + "linked-hash-map", +] + [[package]] name = "yansi" version = "0.5.1" diff --git a/rust/Cargo.toml b/rust/Cargo.toml index e2f8ee0..17de08c 100644 --- a/rust/Cargo.toml +++ b/rust/Cargo.toml @@ -3,7 +3,7 @@ members = ["ja4", "ja4x"] resolver = "2" [workspace.package] -version = "0.14.0" +version = "0.15.0" license = "LicenseRef-FoxIO-Proprietary" repository = "https://github.com/FoxIO-LLC/ja4" @@ -20,3 +20,13 @@ serde_yaml = "0.9" sha2 = "0.10" tracing = "0.1" tracing-subscriber = { version = "0.3", features = ["env-filter"] } + +# [https://insta.rs/docs/quickstart/#optional-faster-runs] +# +# `insta` benefits from being compiled in release mode, even as dev dependency. +# It will compile slightly slower once, but use less memory, have faster diffs +# and just generally be more fun to use. To achieve that, opt `insta` and `similar` +# (the diffing library) into higher optimization: +[profile.dev.package] +insta.opt-level = 3 +similar.opt-level = 3 diff --git a/rust/ja4/Cargo.toml b/rust/ja4/Cargo.toml index eaa3ec4..c400581 100644 --- a/rust/ja4/Cargo.toml +++ b/rust/ja4/Cargo.toml @@ -35,4 +35,5 @@ tracing-subscriber.workspace = true [dev-dependencies] expect-test = "1.4" +insta = { version = "1.33", features = ["glob", "yaml"] } pretty_assertions = "1.4" diff --git a/rust/ja4/src/error.rs b/rust/ja4/src/error.rs index c4b062f..c0ad0ed 100644 --- a/rust/ja4/src/error.rs +++ b/rust/ja4/src/error.rs @@ -11,7 +11,7 @@ use ja4x::x509_parser; #[derive(Debug, thiserror::Error)] pub enum Error { - #[error("tshark not found: {source}")] + #[error("unable to run 'tshark': {source}")] TsharkNotFound { source: io::Error }, #[error("failed to parse `tshark --version` output")] ParseTsharkVersion, diff --git a/rust/ja4/src/lib.rs b/rust/ja4/src/lib.rs index 956f4bb..9862bc0 100644 --- a/rust/ja4/src/lib.rs +++ b/rust/ja4/src/lib.rs @@ -14,10 +14,7 @@ mod stream; mod time; mod tls; -use std::{ - io::{self, Write as _}, - path::PathBuf, -}; +use std::{io::Write, path::PathBuf}; use clap::Parser; use rtshark::RTSharkBuilder; @@ -68,7 +65,7 @@ pub struct Cli { impl Cli { /// Write JSON with JA4 fingerprints to the standard output. - pub fn run(self) -> Result<()> { + pub fn run(self, writer: &mut W) -> Result<()> { let conf = Conf::load()?; let Cli { json, @@ -117,12 +114,12 @@ impl Cli { // BrokenPipe error. Rust throws it when the stdout is piped to `head`. if json { for rec in streams.into_out(flags) { - serde_json::to_writer(io::stdout(), &rec)?; - writeln!(io::stdout())?; + serde_json::to_writer(&mut *writer, &rec)?; + writeln!(writer)?; } } else { let s = serde_yaml::to_string(&streams.into_out(flags).collect::>())?; - io::stdout().write_all(s.as_bytes())?; + writer.write_all(s.as_bytes())?; } Ok(()) } @@ -212,3 +209,29 @@ fn test_parse_tshark_version() { ); assert!(parse_tshark_version("What the TShark?!").is_none()); } + +// XXX-FIXME(vvv): `test_insta` fails on Windows; see https://github.com/FoxIO-LLC/ja4/issues/10 +#[cfg(not(windows))] +#[test] +fn test_insta() { + insta::glob!( + concat!(env!("CARGO_MANIFEST_DIR"), "/../.."), + "pcap/*.pcap*", + |path| { + let cli = Cli { + json: false, + with_raw: false, + original_order: false, + keylog_file: None, + with_packet_numbers: false, + pcap: path.to_path_buf(), + }; + + let mut output = Vec::::new(); + cli.run(&mut output).unwrap(); + let output = String::from_utf8(output).unwrap(); + + insta::assert_snapshot!(output); + } + ); +} diff --git a/rust/ja4/src/main.rs b/rust/ja4/src/main.rs index 92f6a5a..c590230 100644 --- a/rust/ja4/src/main.rs +++ b/rust/ja4/src/main.rs @@ -19,7 +19,7 @@ fn main() -> eyre::Result<()> { .init(); color_eyre::install()?; - match ja4::Cli::parse().run() { + match ja4::Cli::parse().run(&mut io::stdout()) { Err(ja4::Error::Io(e)) if matches!(e.kind(), io::ErrorKind::BrokenPipe) => Ok(()), Err(e) => Err(e.into()), Ok(()) => Ok(()), diff --git a/rust/ja4/src/snapshots/ja4__insta@browsers-x509.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@browsers-x509.pcapng.snap new file mode 100644 index 0000000..41504f3 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@browsers-x509.pcapng.snap @@ -0,0 +1,93 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 172.27.7.31 + dst: 13.107.21.239 + src_port: 54524 + dst_port: 443 + tls_server_name: edge.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1206h2_c030_044dc9b3196d + ja4l_c: 56_128 + ja4l_s: 1907_112 +- stream: 1 + transport: tcp + src: 172.27.7.31 + dst: 68.67.160.117 + src_port: 54525 + dst_port: 443 + tls_server_name: nym1-ib.adnxs.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1207h2_c02b_cf25e267ce22 + tls_certs: + - x509: + - ja4x: 7d5dbb3783b4_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: GeoTrust ECC CA 2018 + subjectCountryName: US + subjectStateOrProvinceName: New York + subjectLocalityName: New York + subjectOrganizationName: Xandr Inc. + subjectCommonName: '*.adnxs.com' + - ja4x: 7d5dbb3783b4_7d5dbb3783b4_44440d41940c + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectOrganizationalUnit: www.digicert.com + subjectCommonName: GeoTrust ECC CA 2018 + ja4l_c: 73_128 + ja4l_s: 7166_41 +- stream: 2 + transport: tcp + src: 172.27.7.31 + dst: 103.42.133.15 + src_port: 54603 + dst_port: 443 + tls_server_name: lptag.liveperson.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1205h2_c02f_845f7282a956 + tls_certs: + - x509: + - ja4x: 2bab15409345_2e9214a636bc_b891c0ad6f32 + issuerCountryName: GB + issuerStateOrProvinceName: Greater Manchester + issuerLocalityName: Salford + issuerOrganizationName: Sectigo Limited + issuerCommonName: Sectigo RSA Organization Validation Secure Server CA + subjectCountryName: US + subjectStateOrProvinceName: New York + subjectOrganizationName: LivePerson, Inc + subjectCommonName: '*.liveperson.net' + - ja4x: 2bab15409345_2bab15409345_2367ce7fbc5b + issuerCountryName: US + issuerStateOrProvinceName: New Jersey + issuerLocalityName: Jersey City + issuerOrganizationName: The USERTRUST Network + issuerCommonName: USERTrust RSA Certification Authority + subjectCountryName: GB + subjectStateOrProvinceName: Greater Manchester + subjectLocalityName: Salford + subjectOrganizationName: Sectigo Limited + subjectCommonName: Sectigo RSA Organization Validation Secure Server CA + - ja4x: 2bab15409345_2bab15409345_2030e37f3421 + issuerCountryName: GB + issuerStateOrProvinceName: Greater Manchester + issuerLocalityName: Salford + issuerOrganizationName: Comodo CA Limited + issuerCommonName: AAA Certificate Services + subjectCountryName: US + subjectStateOrProvinceName: New Jersey + subjectLocalityName: Jersey City + subjectOrganizationName: The USERTRUST Network + subjectCommonName: USERTrust RSA Certification Authority + ja4l_c: 78_128 + ja4l_s: 2948_229 + diff --git a/rust/ja4/src/snapshots/ja4__insta@chrome-cloudflare-quic-with-secrets.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@chrome-cloudflare-quic-with-secrets.pcapng.snap new file mode 100644 index 0000000..c118ac0 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@chrome-cloudflare-quic-with-secrets.pcapng.snap @@ -0,0 +1,29 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 2001:db8:1::1 + dst: 2606:4700:10::6816:826 + src_port: 57098 + dst_port: 443 + tls_server_name: cloudflare-quic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 + ja4l_c: 30_64 + ja4l_s: 5749_56 + http: + - ja4h: ge20nn16enus_0f5a7a41a252_000000000000_000000000000 +- stream: 0 + transport: udp + src: 2001:db8:1::1 + dst: 2606:4700:10::6816:826 + src_port: 50280 + dst_port: 443 + tls_server_name: cloudflare-quic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 113_64 + ja4l_s: 9285_56 + diff --git a/rust/ja4/src/snapshots/ja4__insta@http1-with-cookies.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@http1-with-cookies.pcapng.snap new file mode 100644 index 0000000..ff0b654 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@http1-with-cookies.pcapng.snap @@ -0,0 +1,15 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 127.0.0.1 + dst: 127.0.0.1 + src_port: 61256 + dst_port: 8000 + ja4l_c: 14_64 + ja4l_s: 64_64 + http: + - ja4h: ge11cr04da00_8ddaef5d77af_280f366eaa04_c2fb0fe53442 + diff --git a/rust/ja4/src/snapshots/ja4__insta@http1.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@http1.pcapng.snap new file mode 100644 index 0000000..fb96805 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@http1.pcapng.snap @@ -0,0 +1,446 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48456 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 1 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45042 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 2 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48458 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 3 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45044 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 4 + transport: tcp + src: 192.168.1.147 + dst: 142.251.16.94 + src_port: 56404 + dst_port: 80 + http: + - ja4h: he11nn05enus_6f8992deff94_000000000000_000000000000 + - ja4h: he11nn05enus_6f8992deff94_000000000000_000000000000 +- stream: 5 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48460 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 6 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45046 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 7 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48462 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 8 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45048 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 9 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48464 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 10 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45050 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 11 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48466 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 12 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48468 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 13 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45052 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 14 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48470 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 15 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45054 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 16 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48472 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 18 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48476 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 19 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45056 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 20 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48478 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 21 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48480 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 22 + transport: tcp + src: 192.168.1.188 + dst: 52.85.151.11 + src_port: 38660 + dst_port: 80 + http: + - ja4h: ge11nn040000_ad0fd3707af2_000000000000_000000000000 +- stream: 23 + transport: tcp + src: 192.168.1.136 + dst: 142.251.167.94 + src_port: 41355 + dst_port: 80 + http: + - ja4h: ge11nn040000_4f6f4aad0c1e_000000000000_000000000000 +- stream: 24 + transport: tcp + src: 192.168.1.136 + dst: 104.86.99.193 + src_port: 39698 + dst_port: 80 + http: + - ja4h: he11nn040000_4f6f4aad0c1e_000000000000_000000000000 +- stream: 25 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44238 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 26 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44239 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 27 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44240 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 28 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44241 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 29 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44242 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 30 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44243 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 31 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44244 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 32 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44245 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 33 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44250 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 34 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44251 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 35 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44252 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 36 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44253 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 37 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44254 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 38 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44255 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 39 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44256 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 40 + transport: tcp + src: 192.168.1.136 + dst: 192.168.1.1 + src_port: 44257 + dst_port: 41547 + http: + - ja4h: ge11nn050000_e1365771aae9_000000000000_000000000000 +- stream: 41 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45058 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 42 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48482 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 43 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48484 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 44 + transport: tcp + src: 192.168.1.191 + dst: 192.168.1.1 + src_port: 48486 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 45 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45060 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 46 + transport: tcp + src: 192.168.1.100 + dst: 104.18.20.64 + src_port: 40978 + dst_port: 80 + http: + - ja4h: ge11nn040000_532a1ee47909_000000000000_000000000000 +- stream: 47 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60164 + dst_port: 41547 + http: + - ja4h: ge11nn030000_f8649f6808db_000000000000_000000000000 +- stream: 48 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60180 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 +- stream: 49 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60186 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 +- stream: 50 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60200 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 +- stream: 51 + transport: tcp + src: 192.168.1.118 + dst: 192.168.1.1 + src_port: 45062 + dst_port: 8080 + http: + - ja4h: po11nn050000_530ceba2075f_000000000000_000000000000 +- stream: 52 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60204 + dst_port: 41547 + http: + - ja4h: ge11nn030000_f8649f6808db_000000000000_000000000000 +- stream: 53 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60220 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 +- stream: 54 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60222 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 +- stream: 55 + transport: tcp + src: 192.168.1.100 + dst: 192.168.1.1 + src_port: 60230 + dst_port: 41547 + http: + - ja4h: po11nn080000_6977d1188c03_000000000000_000000000000 + diff --git a/rust/ja4/src/snapshots/ja4__insta@http2-with-cookies.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@http2-with-cookies.pcapng.snap new file mode 100644 index 0000000..ee79b51 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@http2-with-cookies.pcapng.snap @@ -0,0 +1,32 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.2.200 + dst: 142.250.187.206 + src_port: 58847 + dst_port: 443 + tls_server_name: youtube.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 + ja4l_c: 47_128 + ja4l_s: 44840_117 + http: + - ja4h: ge20cn23enus_641f0b6ae3f0_c7713052b7e4_348cad68b6fb + - ja4h: ge20cn17enus_949f364da66f_e43af2e8abfe_015bb0ca5596 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + - ja4h: ge20cr22enus_265608141a12_10ff48fdaa11_ac323afc21f7 + diff --git a/rust/ja4/src/snapshots/ja4__insta@ipv6.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@ipv6.pcapng.snap new file mode 100644 index 0000000..a209889 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@ipv6.pcapng.snap @@ -0,0 +1,41 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 2001:4998:ef83:14:8000::100d + dst: 2606:4700::6811:d209 + src_port: 64034 + dst_port: 443 + tls_server_name: www.cloudflare.com + ja4: t12d4605h2_85626a9a5f7f_aaf95bb78ec9 + ja4s: t1204h2_cca9_1428ce7b4018 + tls_certs: + - x509: + - ja4x: 7d5dbb3783b4_ba7ce0880c07_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert ECC Extended Validation Server CA + subjectBusinessCategory: Private Organization + subjectMsJurisdictionCountry: US + subjectMsJurisdictionStateOrProvince: Delaware + subjectSerialNumber: '4710875' + subjectCountryName: US + subjectStateOrProvinceName: California + subjectLocalityName: San Francisco + subjectOrganizationName: Cloudflare, Inc. + subjectCommonName: cloudflare.com + - ja4x: 7d5dbb3783b4_7d5dbb3783b4_41a019652939 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert High Assurance EV Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectOrganizationalUnit: www.digicert.com + subjectCommonName: DigiCert ECC Extended Validation Server CA + ja4l_c: 35_64 + ja4l_s: 18861_59 + diff --git a/rust/ja4/src/snapshots/ja4__insta@latest.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@latest.pcapng.snap new file mode 100644 index 0000000..73105bf --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@latest.pcapng.snap @@ -0,0 +1,108 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 1 + transport: tcp + src: 172.16.225.48 + dst: 34.212.93.65 + src_port: 52936 + dst_port: 443 + tls_server_name: pdx-col.eum-appdynamics.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1206h2_c02f_3603f09c43ba + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert Global G2 TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: California + subjectLocalityName: San Francisco + subjectOrganizationName: AppDynamics LLC + subjectCommonName: '*.eum-appdynamics.com' + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root G2 + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert Global G2 TLS RSA SHA256 2020 CA1 + ja4l_c: 62_128 + ja4l_s: 33804_227 +- stream: 3 + transport: tcp + src: 172.16.225.48 + dst: 13.33.165.101 + src_port: 52937 + dst_port: 443 + tls_server_name: discovery.cem.cloud.us + ja4: t12d190800_d83cc789557e_7af1ed941c26 + ja4s: t120600_c02f_51ad275821ba + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: Florida + subjectLocalityName: Fort Lauderdale + subjectOrganizationName: Citrix Systems, Inc. + subjectCommonName: '*.cem.cloud.us' + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 + ja4l_c: 57_128 + ja4l_s: 7096_245 +- stream: 5 + transport: tcp + src: 172.16.225.48 + dst: 34.205.195.66 + src_port: 52938 + dst_port: 443 + tls_server_name: app.slack.com + ja4: t13d1516h2_8daaf6152771_9b887d9acb53 + ja4s: t130300_1301_6bbbaf601ed8 + ja4l_c: 47_128 + ja4l_s: 14207_43 +- stream: 6 + transport: tcp + src: 172.16.225.48 + dst: 23.43.242.57 + src_port: 52939 + dst_port: 80 + ja4l_c: 32_128 + ja4l_s: 3915_57 + http: + - ja4h: ge11nn07enus_3e3b55d61660_000000000000_000000000000 +- stream: 9 + transport: tcp + src: 172.16.225.48 + dst: 52.249.29.248 + src_port: 52940 + dst_port: 443 + tls_server_name: ping-edge.smartscreen.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t120300_c030_09f674154ab3 + ja4l_c: 40_128 + ja4l_s: 42103_109 +- stream: 10 + transport: tcp + src: 172.16.225.48 + dst: 52.249.29.248 + src_port: 52941 + dst_port: 443 + tls_server_name: data-edge.smartscreen.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t120300_c030_09f674154ab3 + ja4l_c: 61_128 + ja4l_s: 53595_109 + diff --git a/rust/ja4/src/snapshots/ja4__insta@quic-tls-handshake.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@quic-tls-handshake.pcapng.snap new file mode 100644 index 0000000..84509e0 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@quic-tls-handshake.pcapng.snap @@ -0,0 +1,13 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.147 + src_port: 59102 + dst_port: 443 + tls_server_name: www.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + diff --git a/rust/ja4/src/snapshots/ja4__insta@quic-with-several-tls-frames.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@quic-with-several-tls-frames.pcapng.snap new file mode 100644 index 0000000..7f7372e --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@quic-with-several-tls-frames.pcapng.snap @@ -0,0 +1,13 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: udp + src: 192.168.1.168 + dst: 142.251.16.100 + src_port: 55906 + dst_port: 443 + tls_server_name: ogs.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + diff --git a/rust/ja4/src/snapshots/ja4__insta@ssh-scp-1050.pcap.snap b/rust/ja4/src/snapshots/ja4__insta@ssh-scp-1050.pcap.snap new file mode 100644 index 0000000..018ec81 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@ssh-scp-1050.pcap.snap @@ -0,0 +1,25 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.1.169 + dst: 192.168.1.197 + src_port: 49237 + dst_port: 22 + ja4l_c: 179_128 + ja4l_s: 38_64 + ja4ssh: + - c112s80_c52s107_c35s5 + - c0s1460_c0s174_c26s0 + - c112s1460_c13s150_c37s0 + - c0s1460_c0s178_c22s0 + - c0s1460_c0s179_c21s0 + ssh_extras: + hassh: eb6d4c713c7dcaba7cfd070b095213a9 + hassh_server: 6832f1ce43d4397c2c0a3e2f8c94334e + ssh_protocol_client: SSH-2.0-WinSCP_release_5.17.10 + ssh_protocol_server: SSH-2.0-OpenSSH_7.4 + encryption_algorithm: chacha20-poly1305@openssh.com + diff --git a/rust/ja4/src/snapshots/ja4__insta@ssh.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@ssh.pcapng.snap new file mode 100644 index 0000000..cc5cda6 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@ssh.pcapng.snap @@ -0,0 +1,20 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 172.16.225.48 + dst: 54.160.114.75 + src_port: 57377 + dst_port: 22 + ja4ssh: + - c36s36_c76s124_c0s0 + - c36s52_c42s76_c0s0 + ssh_extras: + hassh: 06046964c022c6407d15a27b12a6a4fb + hassh_server: 699519fdcc30cbcd093d5cd01e4b1d56 + ssh_protocol_client: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5 + ssh_protocol_server: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 + encryption_algorithm: chacha20-poly1305@openssh.com + diff --git a/rust/ja4/src/snapshots/ja4__insta@ssh2.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@ssh2.pcapng.snap new file mode 100644 index 0000000..686bc2f --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@ssh2.pcapng.snap @@ -0,0 +1,190 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 5 + transport: tcp + src: 172.16.225.48 + dst: 146.112.255.155 + src_port: 57368 + dst_port: 443 + tls_server_name: updates.opendns.com + ja4: t12d190800_d83cc789557e_7af1ed941c26 + ja4s: t120400_c02f_4993ccf7354b + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: California + subjectLocalityName: San Francisco + subjectOrganizationName: Cisco OpenDNS LLC + subjectCommonName: api.opendns.com + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 + ja4l_c: 44_128 + ja4l_s: 12517_53 +- stream: 8 + transport: tcp + src: 172.16.225.48 + dst: 34.248.242.11 + src_port: 57371 + dst_port: 443 + tls_server_name: mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com + ja4: t12d1909h2_d83cc789557e_7af1ed941c26 + ja4s: t120500_c02f_6471ab80eb72 + tls_certs: + - x509: + - ja4x: f7a0b866a27b_30b9c68c9fc8_8f2dd91f85ae + issuerCommonName: Sophos SHA256 MCS Root CA3 + issuerStateOrProvinceName: Oxfordshire + issuerCountryName: UK + issuerOrganizationName: Sophos Ltd + subjectCommonName: mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com + subjectStateOrProvinceName: Oxfordshire + subjectCountryName: GB + subjectOrganizationName: Sophos Ltd. + subjectOrganizationalUnit: SaaS + - ja4x: f7a0b866a27b_f7a0b866a27b_b189698ac141 + issuerCommonName: Sophos SHA256 MCS Root CA3 + issuerStateOrProvinceName: Oxfordshire + issuerCountryName: UK + issuerOrganizationName: Sophos Ltd + subjectCommonName: Sophos SHA256 MCS Root CA3 + subjectStateOrProvinceName: Oxfordshire + subjectCountryName: UK + subjectOrganizationName: Sophos Ltd + ja4l_c: 56_128 + ja4l_s: 55492_235 +- stream: 11 + transport: tcp + src: 172.16.225.48 + dst: 52.178.17.3 + src_port: 57374 + dst_port: 443 + tls_server_name: self.events.data.microsoft.com + ja4: t12d190800_d83cc789557e_7af1ed941c26 + ja4s: t120300_c030_09f674154ab3 + ja4l_c: 46_128 + ja4l_s: 49308_110 +- stream: 12 + transport: tcp + src: 172.16.225.48 + dst: 204.79.197.220 + src_port: 57375 + dst_port: 443 + tls_server_name: www.bing.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1205h2_c030_015e35fdd027 + ja4l_c: 55_128 + ja4l_s: 3217_119 +- stream: 13 + transport: tcp + src: 172.16.225.48 + dst: 52.86.25.233 + src_port: 57376 + dst_port: 443 + tls_server_name: 4.sophosxl.net + ja4: t12d1909h2_d83cc789557e_7af1ed941c26 + ja4s: t120200_c02f_344b4dce5a52 + tls_certs: + - x509: + - ja4x: a373a9f83c6b_7022c563de38_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: Amazon + issuerCommonName: Amazon RSA 2048 M02 + subjectCommonName: 4.sophosxl.net + - ja4x: a373a9f83c6b_a373a9f83c6b_3684c5172069 + issuerCountryName: US + issuerOrganizationName: Amazon + issuerCommonName: Amazon Root CA 1 + subjectCountryName: US + subjectOrganizationName: Amazon + subjectCommonName: Amazon RSA 2048 M02 + - ja4x: 2bab15409345_a373a9f83c6b_44ce05048d28 + issuerCountryName: US + issuerStateOrProvinceName: Arizona + issuerLocalityName: Scottsdale + issuerOrganizationName: Starfield Technologies, Inc. + issuerCommonName: Starfield Services Root Certificate Authority - G2 + subjectCountryName: US + subjectOrganizationName: Amazon + subjectCommonName: Amazon Root CA 1 + - ja4x: e7bc7ebc3d9e_2bab15409345_44ce05048d28 + issuerCountryName: US + issuerOrganizationName: Starfield Technologies, Inc. + issuerOrganizationalUnit: Starfield Class 2 Certification Authority + subjectCountryName: US + subjectStateOrProvinceName: Arizona + subjectLocalityName: Scottsdale + subjectOrganizationName: Starfield Technologies, Inc. + subjectCommonName: Starfield Services Root Certificate Authority - G2 + ja4l_c: 58_128 + ja4l_s: 18693_241 +- stream: 14 + transport: tcp + src: 172.16.225.48 + dst: 54.160.114.75 + src_port: 57377 + dst_port: 22 + ja4l_c: 77_128 + ja4l_s: 12897_50 + ja4ssh: + - c36s36_c55s87_c51s6 + - c36s36_c49s90_c59s2 + - c36s36_c14s23_c15s0 + ssh_extras: + hassh: 06046964c022c6407d15a27b12a6a4fb + hassh_server: 699519fdcc30cbcd093d5cd01e4b1d56 + ssh_protocol_client: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5 + ssh_protocol_server: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 + encryption_algorithm: chacha20-poly1305@openssh.com +- stream: 15 + transport: tcp + src: 172.16.225.48 + dst: 184.150.157.177 + src_port: 57380 + dst_port: 80 + ja4l_c: 45_128 + ja4l_s: 6252_58 + http: + - ja4h: ge11nn030000_9ab90a797ba7_000000000000_000000000000 +- stream: 22 + transport: tcp + src: 172.16.225.48 + dst: 184.150.157.177 + src_port: 57396 + dst_port: 80 + ja4l_c: 50_128 + ja4l_s: 4272_58 + http: + - ja4h: ge11nn030000_9ab90a797ba7_000000000000_000000000000 +- stream: 33 + transport: udp + src: 172.16.225.48 + dst: 142.251.32.74 + src_port: 51810 + dst_port: 443 + tls_server_name: signaler-pa.clients6.google.com + ja4: q13d0312h3_55b375c5d22e_73e2d9e6cde6 + ja4s: q130300_1301_6bbbaf601ed8 +- stream: 36 + transport: udp + src: 172.16.225.48 + dst: 142.251.41.46 + src_port: 61861 + dst_port: 443 + tls_server_name: meet.google.com + ja4: q13d0312h3_55b375c5d22e_73e2d9e6cde6 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 169_128 + ja4l_s: 5389_57 + diff --git a/rust/ja4/src/snapshots/ja4__insta@tls-handshake.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@tls-handshake.pcapng.snap new file mode 100644 index 0000000..12950b9 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@tls-handshake.pcapng.snap @@ -0,0 +1,828 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.94 + src_port: 50112 + dst_port: 443 + tls_server_name: clientservices.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 1 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.147 + src_port: 50113 + dst_port: 443 + tls_server_name: www.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 2 + transport: tcp + src: 192.168.1.168 + dst: 172.253.122.84 + src_port: 50114 + dst_port: 443 + tls_server_name: accounts.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 3 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.95 + src_port: 50115 + dst_port: 443 + tls_server_name: www.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 4 + transport: tcp + src: 192.168.1.168 + dst: 104.112.30.74 + src_port: 50116 + dst_port: 443 + tls_server_name: lastpass.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 5 + transport: tcp + src: 192.168.1.168 + dst: 192.241.241.147 + src_port: 50122 + dst_port: 443 + tls_server_name: lp-push-server-452.lastpass.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 + ja4s: t120300_c030_bec8bdbaef8a + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_5a6862e71bea + issuerCountryName: BE + issuerOrganizationName: GlobalSign nv-sa + issuerCommonName: GlobalSign RSA OV SSL CA 2018 + subjectCountryName: US + subjectStateOrProvinceName: Massachusetts + subjectLocalityName: Boston + subjectOrganizationName: LASTPASS US LP + subjectCommonName: '*.lastpass.com' + - ja4x: 0b479b1b5763_a373a9f83c6b_2fbee3f04f3b + issuerOrganizationalUnit: GlobalSign Root CA - R3 + issuerOrganizationName: GlobalSign + issuerCommonName: GlobalSign + subjectCountryName: BE + subjectOrganizationName: GlobalSign nv-sa + subjectCommonName: GlobalSign RSA OV SSL CA 2018 +- stream: 6 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.188 + src_port: 50123 + dst_port: 5228 + tls_server_name: mtalk.google.com + ja4: t13d151400_8daaf6152771_de4a06bb82e3 + ja4s: t130200_1301_234ea6891581 +- stream: 7 + transport: tcp + src: 192.168.1.168 + dst: 172.253.122.94 + src_port: 50126 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 8 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.100 + src_port: 50127 + dst_port: 443 + tls_server_name: ogs.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 9 + transport: tcp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 50128 + dst_port: 443 + tls_server_name: aa.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 10 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50130 + dst_port: 443 + tls_server_name: safebrowsing.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 11 + transport: tcp + src: 192.168.1.168 + dst: 31.13.66.35 + src_port: 50131 + dst_port: 443 + tls_server_name: www.facebook.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 12 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50134 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 13 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50132 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 14 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50135 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 15 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50133 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 16 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50136 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 17 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50137 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 18 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50139 + dst_port: 443 + tls_server_name: scontent-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 19 + transport: tcp + src: 192.168.1.168 + dst: 31.13.66.2 + src_port: 50140 + dst_port: 443 + tls_server_name: gateway.facebook.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 20 + transport: tcp + src: 192.168.1.168 + dst: 157.240.241.1 + src_port: 50142 + dst_port: 443 + tls_server_name: scontent-lga3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 21 + transport: tcp + src: 192.168.1.168 + dst: 157.240.14.19 + src_port: 50141 + dst_port: 443 + tls_server_name: scontent-mia3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 22 + transport: tcp + src: 192.168.1.168 + dst: 208.255.115.145 + src_port: 50143 + dst_port: 443 + tls_server_name: scontent.fewr1-6.fna.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 23 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50145 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 24 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50146 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 25 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50144 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 26 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50147 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 27 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50148 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 28 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50149 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 29 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50151 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 30 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.17 + src_port: 50152 + dst_port: 443 + tls_server_name: edge-chat.facebook.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 31 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.17 + src_port: 50153 + dst_port: 443 + tls_server_name: edge-chat.facebook.com + ja4: t13d1517h1_8daaf6152771_6cdcb247c39b + ja4s: t130300_1301_0ee26285a86f +- stream: 32 + transport: tcp + src: 192.168.1.168 + dst: 23.50.125.163 + src_port: 50155 + dst_port: 443 + tls_server_name: www.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 33 + transport: tcp + src: 192.168.1.168 + dst: 23.218.218.147 + src_port: 50157 + dst_port: 443 + tls_server_name: statics-marketingsites-eus-ms-com.akamaized.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1206h1_c02b_9bd66850b8f2 + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: Massachusetts + subjectLocalityName: Cambridge + subjectOrganizationName: Akamai Technologies, Inc. + subjectCommonName: a248.e.akamai.net + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 +- stream: 34 + transport: tcp + src: 192.168.1.168 + dst: 23.218.218.171 + src_port: 50158 + dst_port: 443 + tls_server_name: img-prod-cms-rt-microsoft-com.akamaized.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1206h2_c02b_9bd66850b8f2 + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: Massachusetts + subjectLocalityName: Cambridge + subjectOrganizationName: Akamai Technologies, Inc. + subjectCommonName: a248.e.akamai.net + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 +- stream: 35 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50160 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 36 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50162 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 37 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50161 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 38 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50159 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 39 + transport: tcp + src: 192.168.1.168 + dst: 18.67.65.105 + src_port: 50163 + dst_port: 443 + tls_server_name: via.placeholder.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 +- stream: 40 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50164 + dst_port: 443 + tls_server_name: wcpstatic.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1206h2_c02f_46cf7c3c6b8f + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: Washington + subjectLocalityName: Redmond + subjectOrganizationName: Microsoft Corporation + subjectCommonName: wcpstatic.microsoft.com + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 + - ja4x: 7d5dbb3783b4_7d5dbb3783b4_f269f029c206 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectOrganizationalUnit: www.digicert.com + subjectCommonName: DigiCert Global Root CA +- stream: 41 + transport: tcp + src: 192.168.1.168 + dst: 13.107.238.40 + src_port: 50165 + dst_port: 443 + tls_server_name: js.monitor.azure.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 42 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50166 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 43 + transport: tcp + src: 192.168.1.168 + dst: 40.126.24.84 + src_port: 50167 + dst_port: 443 + tls_server_name: login.live.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t120400_c030_4e8089b08790 +- stream: 44 + transport: tcp + src: 192.168.1.168 + dst: 13.107.238.40 + src_port: 50168 + dst_port: 443 + tls_server_name: logincdn.msauth.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 45 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50169 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 46 + transport: tcp + src: 192.168.1.168 + dst: 3.223.179.120 + src_port: 50170 + dst_port: 443 + tls_server_name: target.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t1204h2_c02f_1428ce7b4018 + tls_certs: + - x509: + - ja4x: a373a9f83c6b_2bab15409345_7bf9a7bf7029 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerCommonName: DigiCert TLS RSA SHA256 2020 CA1 + subjectCountryName: US + subjectStateOrProvinceName: California + subjectLocalityName: San Jose + subjectOrganizationName: Adobe Systems Incorporated + subjectCommonName: target.microsoft.com + - ja4x: 7d5dbb3783b4_a373a9f83c6b_a83ffcd6e6c2 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectCommonName: DigiCert TLS RSA SHA256 2020 CA1 + - ja4x: 7d5dbb3783b4_7d5dbb3783b4_f269f029c206 + issuerCountryName: US + issuerOrganizationName: DigiCert Inc + issuerOrganizationalUnit: www.digicert.com + issuerCommonName: DigiCert Global Root CA + subjectCountryName: US + subjectOrganizationName: DigiCert Inc + subjectOrganizationalUnit: www.digicert.com + subjectCommonName: DigiCert Global Root CA +- stream: 47 + transport: tcp + src: 192.168.1.168 + dst: 23.55.200.211 + src_port: 50172 + dst_port: 443 + tls_server_name: www.apple.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 48 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50175 + dst_port: 443 + tls_server_name: is1-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 49 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50174 + dst_port: 443 + tls_server_name: is1-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 50 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50177 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 51 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50176 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 52 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50178 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 53 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50180 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 54 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50182 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 55 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50181 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 56 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50179 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 57 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50183 + dst_port: 443 + tls_server_name: is5-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1302_a56c5b993250 +- stream: 58 + transport: tcp + src: 192.168.1.168 + dst: 172.253.63.95 + src_port: 50184 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 +- stream: 0 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.147 + src_port: 59102 + dst_port: 443 + tls_server_name: www.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 1 + transport: udp + src: 192.168.1.168 + dst: 172.253.122.84 + src_port: 57816 + dst_port: 443 + tls_server_name: accounts.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 2 + transport: udp + src: 192.168.1.168 + dst: 142.251.16.95 + src_port: 55945 + dst_port: 443 + tls_server_name: www.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 3 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.94 + src_port: 49333 + dst_port: 443 + tls_server_name: update.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 4 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.102 + src_port: 57662 + dst_port: 443 + tls_server_name: encrypted-tbn0.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 5 + transport: udp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 60486 + dst_port: 443 + tls_server_name: history.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 6 + transport: udp + src: 192.168.1.168 + dst: 172.253.122.94 + src_port: 60845 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 7 + transport: udp + src: 192.168.1.168 + dst: 142.251.16.100 + src_port: 55906 + dst_port: 443 + tls_server_name: ogs.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 8 + transport: udp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 61836 + dst_port: 443 + tls_server_name: aa.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 9 + transport: udp + src: 192.168.1.168 + dst: 172.253.63.95 + src_port: 59221 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 10 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.138 + src_port: 51905 + dst_port: 443 + tls_server_name: encrypted-tbn0.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 11 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 51782 + dst_port: 443 + tls_server_name: safebrowsing.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 12 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 61730 + dst_port: 443 + tls_server_name: scontent-iad3-2.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 +- stream: 13 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 54980 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 +- stream: 14 + transport: udp + src: 192.168.1.168 + dst: 31.13.66.35 + src_port: 52166 + dst_port: 443 + tls_server_name: www.facebook.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 +- stream: 15 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 59444 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 +- stream: 16 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 60374 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 +- stream: 17 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 55309 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 18 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50053 + dst_port: 443 + tls_server_name: optimizationguide-pa.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 +- stream: 19 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.132 + src_port: 57188 + dst_port: 443 + tls_server_name: lh5.googleusercontent.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + diff --git a/rust/ja4/src/snapshots/ja4__insta@tls-sni.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@tls-sni.pcapng.snap new file mode 100644 index 0000000..0ed8cff --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@tls-sni.pcapng.snap @@ -0,0 +1,637 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.94 + src_port: 50112 + dst_port: 443 + tls_server_name: clientservices.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 1 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.147 + src_port: 50113 + dst_port: 443 + tls_server_name: www.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 2 + transport: tcp + src: 192.168.1.168 + dst: 172.253.122.84 + src_port: 50114 + dst_port: 443 + tls_server_name: accounts.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 3 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.95 + src_port: 50115 + dst_port: 443 + tls_server_name: www.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 4 + transport: tcp + src: 192.168.1.168 + dst: 104.112.30.74 + src_port: 50116 + dst_port: 443 + tls_server_name: lastpass.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 5 + transport: tcp + src: 192.168.1.168 + dst: 192.241.241.147 + src_port: 50122 + dst_port: 443 + tls_server_name: lp-push-server-452.lastpass.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 +- stream: 6 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.188 + src_port: 50123 + dst_port: 5228 + tls_server_name: mtalk.google.com + ja4: t13d151400_8daaf6152771_de4a06bb82e3 +- stream: 7 + transport: tcp + src: 192.168.1.168 + dst: 172.253.122.94 + src_port: 50126 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 8 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.100 + src_port: 50127 + dst_port: 443 + tls_server_name: ogs.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 9 + transport: tcp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 50128 + dst_port: 443 + tls_server_name: aa.google.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 10 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50130 + dst_port: 443 + tls_server_name: safebrowsing.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 11 + transport: tcp + src: 192.168.1.168 + dst: 31.13.66.35 + src_port: 50131 + dst_port: 443 + tls_server_name: www.facebook.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 12 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50134 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 13 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50132 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 14 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50135 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 15 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50133 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 16 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50136 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 17 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50137 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 18 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 50139 + dst_port: 443 + tls_server_name: scontent-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 19 + transport: tcp + src: 192.168.1.168 + dst: 31.13.66.2 + src_port: 50140 + dst_port: 443 + tls_server_name: gateway.facebook.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 +- stream: 20 + transport: tcp + src: 192.168.1.168 + dst: 157.240.241.1 + src_port: 50142 + dst_port: 443 + tls_server_name: scontent-lga3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 21 + transport: tcp + src: 192.168.1.168 + dst: 157.240.14.19 + src_port: 50141 + dst_port: 443 + tls_server_name: scontent-mia3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 22 + transport: tcp + src: 192.168.1.168 + dst: 208.255.115.145 + src_port: 50143 + dst_port: 443 + tls_server_name: scontent.fewr1-6.fna.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 23 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50145 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 24 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50146 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 25 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50144 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 26 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50147 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 27 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50148 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 28 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 50149 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 29 + transport: tcp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50151 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 30 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.17 + src_port: 50152 + dst_port: 443 + tls_server_name: edge-chat.facebook.com + ja4: t13d1516h1_8daaf6152771_e5627efa2ab1 +- stream: 31 + transport: tcp + src: 192.168.1.168 + dst: 157.240.229.17 + src_port: 50153 + dst_port: 443 + tls_server_name: edge-chat.facebook.com + ja4: t13d1517h1_8daaf6152771_6cdcb247c39b +- stream: 32 + transport: tcp + src: 192.168.1.168 + dst: 23.50.125.163 + src_port: 50155 + dst_port: 443 + tls_server_name: www.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 33 + transport: tcp + src: 192.168.1.168 + dst: 23.218.218.147 + src_port: 50157 + dst_port: 443 + tls_server_name: statics-marketingsites-eus-ms-com.akamaized.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 34 + transport: tcp + src: 192.168.1.168 + dst: 23.218.218.171 + src_port: 50158 + dst_port: 443 + tls_server_name: img-prod-cms-rt-microsoft-com.akamaized.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 35 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50160 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 36 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50162 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 37 + transport: tcp + src: 192.168.1.168 + dst: 23.212.251.12 + src_port: 50161 + dst_port: 443 + tls_server_name: cdn-dynmedia-1.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 38 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50159 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 39 + transport: tcp + src: 192.168.1.168 + dst: 18.67.65.105 + src_port: 50163 + dst_port: 443 + tls_server_name: via.placeholder.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 40 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50164 + dst_port: 443 + tls_server_name: wcpstatic.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 41 + transport: tcp + src: 192.168.1.168 + dst: 13.107.238.40 + src_port: 50165 + dst_port: 443 + tls_server_name: js.monitor.azure.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 42 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50166 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 43 + transport: tcp + src: 192.168.1.168 + dst: 40.126.24.84 + src_port: 50167 + dst_port: 443 + tls_server_name: login.live.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 44 + transport: tcp + src: 192.168.1.168 + dst: 13.107.238.40 + src_port: 50168 + dst_port: 443 + tls_server_name: logincdn.msauth.net + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 45 + transport: tcp + src: 192.168.1.168 + dst: 13.107.237.40 + src_port: 50169 + dst_port: 443 + tls_server_name: mem.gfx.ms + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 46 + transport: tcp + src: 192.168.1.168 + dst: 3.223.179.120 + src_port: 50170 + dst_port: 443 + tls_server_name: target.microsoft.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 47 + transport: tcp + src: 192.168.1.168 + dst: 23.55.200.211 + src_port: 50172 + dst_port: 443 + tls_server_name: www.apple.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 48 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50175 + dst_port: 443 + tls_server_name: is1-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 49 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50174 + dst_port: 443 + tls_server_name: is1-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 50 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50177 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 51 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50176 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 52 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50178 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 53 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50180 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 54 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50182 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 55 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50181 + dst_port: 443 + tls_server_name: is3-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 56 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50179 + dst_port: 443 + tls_server_name: is2-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 57 + transport: tcp + src: 192.168.1.168 + dst: 23.62.168.26 + src_port: 50183 + dst_port: 443 + tls_server_name: is5-ssl.mzstatic.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 58 + transport: tcp + src: 192.168.1.168 + dst: 172.253.63.95 + src_port: 50184 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 +- stream: 0 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.147 + src_port: 59102 + dst_port: 443 + tls_server_name: www.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 1 + transport: udp + src: 192.168.1.168 + dst: 172.253.122.84 + src_port: 57816 + dst_port: 443 + tls_server_name: accounts.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 2 + transport: udp + src: 192.168.1.168 + dst: 142.251.16.95 + src_port: 55945 + dst_port: 443 + tls_server_name: www.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 3 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.94 + src_port: 49333 + dst_port: 443 + tls_server_name: update.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 4 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.102 + src_port: 57662 + dst_port: 443 + tls_server_name: encrypted-tbn0.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 5 + transport: udp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 60486 + dst_port: 443 + tls_server_name: history.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 6 + transport: udp + src: 192.168.1.168 + dst: 172.253.122.94 + src_port: 60845 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 7 + transport: udp + src: 192.168.1.168 + dst: 142.251.16.100 + src_port: 55906 + dst_port: 443 + tls_server_name: ogs.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 8 + transport: udp + src: 192.168.1.168 + dst: 142.251.111.101 + src_port: 61836 + dst_port: 443 + tls_server_name: aa.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 9 + transport: udp + src: 192.168.1.168 + dst: 172.253.63.95 + src_port: 59221 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 10 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.138 + src_port: 51905 + dst_port: 443 + tls_server_name: encrypted-tbn0.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 11 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 51782 + dst_port: 443 + tls_server_name: safebrowsing.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 12 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 61730 + dst_port: 443 + tls_server_name: scontent-iad3-2.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 13 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 54980 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 14 + transport: udp + src: 192.168.1.168 + dst: 31.13.66.35 + src_port: 52166 + dst_port: 443 + tls_server_name: www.facebook.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 15 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.1 + src_port: 59444 + dst_port: 443 + tls_server_name: static.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 16 + transport: udp + src: 192.168.1.168 + dst: 157.240.229.2 + src_port: 60374 + dst_port: 443 + tls_server_name: video-iad3-2.xx.fbcdn.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 17 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 55309 + dst_port: 443 + tls_server_name: content-autofill.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 18 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.95 + src_port: 50053 + dst_port: 443 + tls_server_name: optimizationguide-pa.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 19 + transport: udp + src: 192.168.1.168 + dst: 142.251.163.132 + src_port: 57188 + dst_port: 443 + tls_server_name: lh5.googleusercontent.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + diff --git a/rust/ja4/src/snapshots/ja4__insta@tls3.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@tls3.pcapng.snap new file mode 100644 index 0000000..2512cdf --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@tls3.pcapng.snap @@ -0,0 +1,156 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 7 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63248 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 + ja4l_c: 16_128 + ja4l_s: 34615_35 +- stream: 8 + transport: tcp + src: 192.168.1.169 + dst: 23.222.12.9 + src_port: 63249 + dst_port: 80 + ja4l_c: 14_128 + ja4l_s: 3181_57 + http: + - ja4h: ge11nn07enus_3e3b55d61660_000000000000_000000000000 +- stream: 9 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63250 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_9b887d9acb53 + ja4s: t130300_1301_0ee26285a86f + ja4l_c: 13_128 + ja4l_s: 36549_35 +- stream: 10 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63251 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_9b887d9acb53 + ja4s: t130300_1301_0ee26285a86f + ja4l_c: 15_128 + ja4l_s: 34691_38 +- stream: 11 + transport: tcp + src: 192.168.1.169 + dst: 104.21.234.234 + src_port: 63252 + dst_port: 443 + tls_server_name: rsms.me + ja4: t13d1516h2_8daaf6152771_9b887d9acb53 + ja4s: t130300_1301_6bbbaf601ed8 + ja4l_c: 15_128 + ja4l_s: 2442_57 +- stream: 12 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63253 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 + ja4l_c: 11_128 + ja4l_s: 36498_35 +- stream: 13 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63254 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 + ja4l_c: 15_128 + ja4l_s: 33515_32 +- stream: 14 + transport: tcp + src: 192.168.1.169 + dst: 54.190.49.36 + src_port: 63255 + dst_port: 443 + tls_server_name: darksail.ai + ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_a56c5b993250 + ja4l_c: 11_128 + ja4l_s: 33738_33 +- stream: 21 + transport: udp + src: 192.168.1.169 + dst: 172.253.122.95 + src_port: 62481 + dst_port: 443 + tls_server_name: fonts.googleapis.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 59_128 + ja4l_s: 4213_59 +- stream: 22 + transport: udp + src: 192.168.1.169 + dst: 104.21.234.234 + src_port: 61732 + dst_port: 443 + tls_server_name: rsms.me + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 336_128 + ja4l_s: 5580_57 +- stream: 23 + transport: udp + src: 192.168.1.169 + dst: 151.101.1.229 + src_port: 49791 + dst_port: 443 + tls_server_name: cdn.jsdelivr.net + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_a56c5b993250 + ja4l_c: 40_128 + ja4l_s: 4455_58 +- stream: 24 + transport: udp + src: 192.168.1.169 + dst: 104.17.24.14 + src_port: 56684 + dst_port: 443 + tls_server_name: cdnjs.cloudflare.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 59_128 + ja4l_s: 3590_57 +- stream: 25 + transport: udp + src: 192.168.1.169 + dst: 104.21.234.234 + src_port: 61884 + dst_port: 443 + tls_server_name: rsms.me + ja4: q13d0311h3_55b375c5d22e_3512bcbbc9ec + ja4s: q130300_1301_6bbbaf601ed8 +- stream: 28 + transport: udp + src: 192.168.1.169 + dst: 142.251.111.94 + src_port: 58117 + dst_port: 443 + tls_server_name: fonts.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + ja4s: q130200_1301_234ea6891581 + ja4l_c: 45_128 + ja4l_s: 3298_58 + diff --git a/rust/ja4/src/tls.rs b/rust/ja4/src/tls.rs index 71c8ab4..8b2015c 100644 --- a/rust/ja4/src/tls.rs +++ b/rust/ja4/src/tls.rs @@ -56,7 +56,9 @@ impl Stream { CLIENT_HELLO => { debug_assert_eq!( tls_handshake_type.display(), - "Handshake Type: Client Hello (1)" + "Handshake Type: Client Hello (1)", + "packet={}", + pkt.num ); // We only process a single TLS Client Hello packet per stream. if self.client.is_none() { @@ -573,7 +575,7 @@ fn tls_extensions_server(tls: &Proto) -> Vec { assert_eq!(tls.name(), "tls"); tls.fields("tls.handshake.extension.type").filter_map(|md| { - md.value().parse().map_err(|e| { + md.value().parse::().map_err(|e| { tracing::debug!(packet = %tls.packet_num, value = md.value(), showname = md.display(), error = %e, "Invalid TLS extension"); }).ok() })