Question 1

How to install JA4+ on Ubuntu for PCAP analysis?

Accepted Answer

Install tshark via apt (sudo apt install tshark), download the Rust binaries from the releases page, and run ./ja4 with your PCAP file. Refer to the README for advanced options like output formats.

Question 2

JA4 vs JA3: which should I use for TLS fingerprinting?

Accepted Answer

JA4 is better for modern deployments as it sorts ciphers and extensions to resist evasion, while JA3 is more established but prone to fingerprint randomization. JA4's design future-proofs it against tactics like cipher stunting.

Question 3

Can JA4+ detect VPN or proxy traffic?

Accepted Answer

Yes, methods like JA4T for TCP fingerprinting can identify VPN clients (e.g., Surfshark, NordVPN) based on OS-level stack characteristics, as shown in the blog post examples.

Question 4

How to use JA4+ with Wireshark for live traffic?

Accepted Answer

Load the provided C plugin into Wireshark to display JA4+ fields directly in the UI. The README includes build instructions for the plugin across Linux, macOS, and Windows.

Question 5

Is JA4+ open source or free for commercial products?

Accepted Answer

JA4 (TLS client) is BSD-licensed and open, but other JA4+ methods require a FoxIO License for commercial monetization. Internal use is permitted, but vendors must contact FoxIO for OEM terms.

Question 6

What tools support JA4+ fingerprints out of the box?

Accepted Answer

Many tools like Arkime, Suricata, and ntopng integrate JA4+, with a full list in the README. Cloud services like AWS WAF and Google Cloud Armor also use it for traffic filtering.

JA4+

What is JA4+?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions