vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-02 00:40:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/tests/cfgs/default/result/codm.pcap.out
Adrian Pekar 5f312c0cd6
Fix JA4 fingerprinting (#2915) 
* Fix JA4 ALPN fingerprint to use first and last characters

According to the JA4 specification (line 2139), the ALPN field should
contain the first and last characters of the first ALPN extension value.

Currently, nDPI uses the first and second characters (alpn[0] and alpn[1]),
which produces incorrect fingerprints that don't match other JA4
implementations like Wireshark.

For example, with ALPN 'http/1.1':
- Current (incorrect): 'ht' (first + second char)
- Fixed (correct):     'h1' (first + last char)

This change ensures nDPI's JA4 implementation conforms to the official
specification and maintains interoperability with other JA4 tools.

Fixes: Incorrect JA4 ALPN fingerprint generation

* Fix JA4 ALPN implementation to correctly parse first ALPN protocol

The previous fix attempted to use strlen(ja->client.alpn)-1 but this was
insufficient because nDPI modifies the ALPN string by:
1. Adding null terminators that truncate the last character
2. Converting semicolons to dashes, affecting multi-protocol ALPNs

This complete fix:
- Adds alpn_original_last field to store the true last character
- Captures the last character of the FIRST ALPN protocol only (before ;/,)
- Preserves the original character before nDPI's string modifications

Now correctly implements JA4 spec: first + last characters of first ALPN protocol
Examples:
- ALPN 'h2;http/1.1' -> 'h2' (not 'h.' or 'h1')
- ALPN 'http/1.1' -> 'h1' (not 'ht' or 'h.')

Fixes: #2914

* Fix JA4 SNI detection to properly handle missing SNI extensions

Previously, nDPI incorrectly set JA4 SNI flag to 'd' (domain present) for
flows without any SNI extension. This was because the logic only checked
for NDPI_NUMERIC_IP_HOST risk (set when SNI contains IP) but didn't
distinguish between missing SNI and domain SNI.

Now properly detects:
- No SNI extension → 'i' flag
- SNI with IP address → 'i' flag
- SNI with domain → 'd' flag

This matches the JA4 specification.
2025-07-10 14:03:27 +02:00

37 lines
2.9 KiB
Text
Raw Blame History

DPI Packets (TCP): 7 (7.00 pkts/flow)
DPI Packets (UDP): 5 (2.50 pkts/flow)
Confidence DPI : 3 (flows)
Num dissector calls: 477 (159.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 0/2/0 (insert/search/found)
Automa host: 1/1 (search/found)
Automa domain: 1/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 1/1 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 4/2 (search/found)
Patricia protocols IPv6: 0/0 (search/found)
CoD_Mobile 13 3590 3
Fun 13 3590 3
Game 13 3590 3
JA Host Stats:
IP Address # JA4C
1 10.215.173.1 1
1 TCP 10.215.173.1:45028 <-> 49.51.177.25:8013 [proto: 91.186/TLS.CoD_Mobile][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 7][cat: Game/8][4 pkts/697 bytes <-> 3 pkts/1560 bytes][Goodput ratio: 74/92][0.51 sec][Hostname/SNI: west-tdm.codmwest.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.382 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/8 104/102 307/195 143/94][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 174/520 552/1472 218/673][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 443][TCP Fingerprint: 2_64_65535_b8d6cf600040/Unknown][TLSv1.2][JA4: t13d1713h1_5b57614c22b0_eca864cca44a][JA3S: 00447ab319e9d94ba2b4c1248e155917][Safari][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0]
2 UDP 10.215.173.1:38704 <-> 43.131.34.20:7948 [proto: 186/CoD_Mobile][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 4][cat: Game/8][1 pkts/210 bytes <-> 3 pkts/1043 bytes][Goodput ratio: 86/92][0.06 sec][PLAIN TEXT (PREFAB)][Plen Bins: 25,0,0,0,0,25,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 UDP 10.215.173.1:40282 <-> 23.248.172.158:7500 [proto: 186/CoD_Mobile][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 186/CoD_Mobile, Confidence: DPI][DPI packets: 1][cat: Game/8][1 pkts/40 bytes <-> 1 pkts/40 bytes][Goodput ratio: 29/29][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Reference in a new issue View git blame Copy permalink