Quick-Labs
JA4 Wireshark Plugin

JA4 WireShark Plugin

Installing and Using the JA4+ Plugin for Wireshark

Table of Contents

Introduction

The JA4+ plugin for Wireshark allows you to perform advanced network traffic analysis by identifying and categorizing TLS handshakes. This guide covers the installation and usage of the plugin on Windows, Mac (Intel and ARM), and Linux, from beginner to expert levels.

What You’ll Learn:

  • How to install the JA4+ plugin on different operating systems.
  • How to perform network captures and analyze encrypted traffic using Wireshark.
  • How to verify the plugin installation and compare traffic data before and after installing the JA4+ plugin.

Installing the JA4+ Plugin on Windows

Step 1: Download the JA4+ Plugin

Go to the JA4+ GitHub repository and download the latest binary file for Windows: ja4.dll.

Step 2: Locate the Wireshark Plugins Directory

Navigate to the Wireshark plugins directory:

C:\Program Files\Wireshark\plugins\4.4\epan\

Step 3: Copy the JA4+ Plugin

Copy the ja4.dll file to the plugins directory:

C:\Program Files\Wireshark\plugins\4.4\epan\

Step 4: Restart Wireshark

Start Wireshark to load the new plugin.

Installing the JA4+ Plugin on Mac (Intel and ARM)

Step 1: Download the JA4+ Plugin

Download the appropriate binary file for your Mac architecture:

  • ARM (M1/M2): ja4.so.macos from JA4 GitHub.
  • Intel (x86/x64): ja4.so from JA4 GitHub.

Step 2: Locate the Wireshark Plugins Directory

Navigate to the appropriate plugins directory:

/Applications/Wireshark.app/Contents/PlugIns/wireshark/4-4/epan/

Step 3: Copy the JA4+ Plugin

Copy the downloaded .so file to the plugins directory:

sudo cp /path/to/ja4.so /Applications/Wireshark.app/Contents/PlugIns/wireshark/4-4/epan/

Step 4: Restart Wireshark

Start Wireshark to load the new plugin.

Installing the JA4+ Plugin on Linux

Step 1: Download the JA4+ Plugin

Download the Linux binary file: ja4.so from the JA4 GitHub repository.

Step 2: Locate the Wireshark Plugins Directory

Find the global plugins directory:

/usr/lib/wireshark/plugins/4.0/epan/

Step 3: Copy the JA4+ Plugin

Copy the plugin file to the directory:

sudo cp /path/to/ja4.so /usr/lib/wireshark/plugins/4.0/epan/

Step 4: Restart Wireshark

Start Wireshark to load the new plugin.

Initial Wireshark Capture (Pre-Installation)

Step 1: Open Wireshark

Launch Wireshark from your applications menu.

Step 2: Select a Network Interface

Choose the network interface to monitor (e.g., Wi-Fi).

Step 3: Start the Capture

Click the Shark Fin icon or press Ctrl + E (or Cmd + E on Mac).

Step 4: Run the Capture

Let Wireshark capture traffic for 1-2 minutes.

Step 5: Stop and Save the Capture

Click the Red Square icon or press Ctrl + E (or Cmd + E on Mac). Save the capture as initial_capture.pcapng.

Step 6: Adjust Preferences for TLS Analysis

Go to Wireshark > Preferences > Protocols > TLS. Enable Try to detect and decode SSL encrypted data. Save changes.

Step 7: Verify Columns

There should be no JA4-specific columns in the packet details.

Verifying JA4+ Plugin Installation

Step 1: Open Wireshark

Launch Wireshark.

Step 2: Verify Plugin Status

Go to Help > About Wireshark > Plugins. Check if JA4+ is listed among installed plugins.

Step 3: Troubleshooting

If not listed, ensure the plugin file is compatible with your OS architecture and placed in the correct directory.

Wireshark Capture with the JA4+ Plugin

Step 1: Select the Same Network Interface

Choose the same network interface used in the initial capture.

Step 2: Start the Capture

Click the Shark Fin icon or press Ctrl + E (or Cmd + E).

Step 3: Run the Capture

Capture traffic for 1-2 minutes.

Step 4: Stop and Save the Capture

Click the Red Square icon or press Ctrl + E (or Cmd + E). Save the capture as ja4_plugin_capture.pcapng.

Step 5: Verify JA4 Columns

Ensure new columns like ja4_fingerprint are visible.

Adding JA4+ Columns for Enhanced Analysis

Step 1: Open Preferences

Go to Wireshark > Preferences > Appearance > Columns.

Step 2: Add JA4+ Columns

Add new columns with the following items:

"JA4T", "%Cus:ja4.ja4t:0:R",
"JA4TS", "%Cus:ja4.ja4ts:0:R",
"JA4", "%Cus:tls.handshake.ja4:0:R",
"JA4S", "%Cus:ja4.ja4s:0:R",
"JA4H", "%Cus:ja4.ja4h:0:R",
"JA4L", "%Cus:ja4.ja4l:0:R",
"JA4LS", "%Cus:ja4.ja4ls:0:R",
"JA4X", "%Cus:ja4.ja4x:0:R",
"JA4SSH", "%Cus:ja4.ja4ssh:0:R"

Step 3: Save Changes

Click OK to save.

Step 4: Verify Columns

Ensure new JA4+ columns are visible in the main window.

Comparing Captures: Before and After JA4+ Plugin Installation

Step 1: Open Both Capture Files

Open initial_capture.pcapng and ja4_plugin_capture.pcapng.

Step 2: Analyze Differences

Compare the TLS packet details. Look for the ja4_fingerprint field in the TLS packets.

Step 3: Conclusion

The JA4+ plugin should provide additional details and enhanced traffic analysis capabilities.

Advanced Configuration: Customizing Columns and Preferences

Adding Columns via Preferences File

Open the preferences file in a text editor. Add the following to the "User Interface: Columns" section:

"JA4T", "%Cus:ja4.ja4t:0:R",
"JA4TS", "%Cus:ja4.ja4ts:0:R",
"JA4", "%Cus:tls.handshake.ja4:0:R",
"JA4S", "%Cus:ja4.ja4s:0:R",
"JA4H", "%Cus:ja4.ja4h:0:R",
"JA4L", "%Cus:ja4.ja4l:0:R",
"JA4LS", "%Cus:ja4.ja4ls:0:R",
"JA4X", "%Cus:ja4.ja4x:0:R",
"JA4SSH", "%Cus:ja4.ja4ssh:0:R"

Preferences File Locations:

  • Windows: %APPDATA%\Wireshark\preferences
  • Mac: ~/.config/wireshark/preferences
  • Linux: ~/.config/wireshark/preferences

Licensing

See Licensing under the repository root. For any issues or questions, create an issue on the JA4 GitHub repository or contact john@foxio.io.

Conclusion

By following this guide, you should now have the JA4+ plugin installed and configured on your Wireshark setup across different operating systems. This plugin enhances your ability to analyze TLS handshakes and encrypted traffic, providing deeper insights into your network captures. Whether you are a beginner or an expert, the JA4+ plugin is a valuable tool for advanced network traffic analysis.

For further information and updates, refer to the JA4 GitHub repository. If you encounter any issues or have questions, feel free to create an issue on the repository or contact the support team.

Happy analyzing!