JA4+ Fingerprinting
Synapse implements the complete JA4+ fingerprinting suite for advanced threat detection and behavioral analysis. Fingerprints identify clients, servers, and connections by their protocol behavior — not just IP addresses.
Fingerprint Suite
| Fingerprint | Layer | Source | Available In |
|---|---|---|---|
| JA4 | TLS | ClientHello | Proxy |
| JA4S | TLS | ServerHello | Proxy |
| JA4H | HTTP | Request Headers | Proxy |
| JA4L | Network | Client-to-Server Latency | Both |
| JA4LS | Network | Server-to-Client Latency | Both |
| JA4T | TCP | SYN Packet Options | Both |
| JA4TS | TCP | SYN-ACK Response | Proxy |
| JA4TScan | TCP | Active TCP Scan | Both |
| JA4X | TLS | X.509 Certificate | Proxy |
| JA4SSH | SSH | SSH Traffic Patterns | Both |
| JA4D | DHCP | DHCPv4 Fingerprinting | Both |
| JA4D6 | DHCP | DHCPv6 Fingerprinting | Both |
JA4 — TLS Client Fingerprint
Fingerprints the TLS ClientHello message to uniquely identify client applications.
Format: {proto}{version}{sni}{cipher_count}{ext_count}{alpn}_{cipher_hash}_{ext_hash}
Example: t13d1516h2_8daaf6152771_b186095e22b6
| Segment | Meaning |
|---|---|
t | TCP (or q for QUIC) |
13 | TLS 1.3 |
d | SNI present (d = domain, i = IP) |
15 | 15 cipher suites |
16 | 16 extensions |
h2 | ALPN protocol (HTTP/2) |
_8daaf6152771 | SHA256 truncated hash of sorted cipher suites |
_b186095e22b6 | SHA256 truncated hash of sorted extensions |
Detects: Bot traffic, TLS library tampering, client application identification, impersonation attempts.
JA4S — TLS Server Fingerprint
Fingerprints the TLS ServerHello response to identify server infrastructure.
Format: {proto}{version}{ext_count}{alpn}_{cipher}_{extensions_hash}
Example: t1302h2_1301_a56c5b993250
| Segment | Meaning |
|---|---|
t13 | TLS 1.3 over TCP |
02 | 2 extensions |
h2 | ALPN HTTP/2 |
1301 | Cipher: TLS_AES_128_GCM_SHA256 |
_a56c5b993250 | Extension hash |
Detects: Backend infrastructure mapping, load balancer identification, server configuration changes, CDN fingerprinting.
JA4H — HTTP Header Fingerprint
Fingerprints HTTP request headers to identify clients at the application layer.
Format: {method}{version}{cookie}{referer}{count}{lang}_{headers_hash}_{cookie_names_hash}_{cookie_values_hash}
Example: ge11cr15enus_a1b2c3d4e5f6_123456789abc_def012345678
| Segment | Meaning |
|---|---|
ge | First 2 chars of HTTP method (GET) |
11 | HTTP/1.1 |
c | Cookie header present |
r | Referer header present |
15 | 15 headers (excluding Cookie/Referer) |
enus | Accept-Language (en-US) |
| Three hashes | Headers, cookie names, cookie values |
Detects: Browser fingerprinting, User-Agent spoofing, header manipulation, automation tools, scrapers.
JA4T — TCP Client Fingerprint
Fingerprints the TCP SYN packet to identify the client's OS and network stack.
Format: {window_size}_{tcp_options}_{mss}_{window_scale}
Example: 65535_2-4-8-1-3_1460_7
| Segment | Meaning |
|---|---|
65535 | TCP window size |
2-4-8-1-3 | TCP option kinds (MSS, SACK, Timestamps, NOP, Window Scale) |
1460 | Maximum Segment Size |
7 | Window scale factor |
Common patterns:
| Pattern | OS |
|---|---|
| TTL=64, Window=65535 | Linux |
| TTL=128, Window=65535 | Windows |
| TTL=64, Window=65535 | macOS |
Detects: Operating system fingerprinting, network stack behavior, NAT/proxy presence, device type identification.
JA4TS — TCP Server Fingerprint
Fingerprints the TCP SYN-ACK response from the server side.
Format: Same structure as JA4T but captured from the server's SYN-ACK packet.
Detects: Server OS identification, load balancer detection, backend infrastructure mapping.
JA4L — Client-to-Server Latency
Measures client-to-server latency from packet timing for light distance estimation.
Format: {rtt_microseconds}_{ttl}
Example: 12500_64 (12.5ms RTT, TTL 64)
Calculation: (ACK - SYNACK) / 2
Detects: Network distance estimation, geographic location approximation, proxy/VPN detection, CDN usage patterns.
JA4LS — Server-to-Client Latency
Measures server-to-client latency from packet timing.
Format: {rtt_microseconds}_{ttl}
Calculation: (SYNACK - SYN) / 2
Detects: Server distance measurement, hosting provider identification, latency anomaly detection.
JA4X — X.509 Certificate Fingerprint
Fingerprints X.509 certificates by their structural properties.
Format: {issuer_hash}_{subject_hash}_{extensions_hash}
Example: aae71e8db6d7_b186095e22b6_c1a4f9e7d8b3
Three 12-char SHA256 truncated hashes of:
- Issuer — RDN OIDs of the certificate issuer
- Subject — RDN OIDs of the certificate subject
- Extensions — Certificate extension OIDs
Detects: Certificate authority patterns, certificate structure anomalies, organization identification, PKI mapping.
JA4TScan — Active TCP Fingerprint Scanner
Active TCP fingerprint scanning tool that sends crafted packets to identify remote systems.
Detects: Remote OS identification, network service discovery, infrastructure mapping.
JA4SSH — SSH Traffic Fingerprint
Fingerprints SSH sessions by analyzing traffic patterns without decrypting the session.
Detects: SSH client identification, automated SSH tools, lateral movement detection, tunneling activity.
JA4D — DHCPv4 Fingerprint
Fingerprints DHCP clients by analyzing DHCPv4 Discover and Request messages.
Detects: Device type identification (IoT, workstation, mobile), rogue device detection, network inventory, unauthorized device discovery.
JA4D6 — DHCPv6 Fingerprint
Fingerprints DHCP clients by analyzing DHCPv6 Solicit and Request messages.
Detects: IPv6 device identification, dual-stack device correlation, rogue device detection on IPv6 networks.
Access Log Integration
All JA4+ fingerprints are automatically included in Synapse access logs:
{
"timestamp": "2025-10-29T12:34:56.789Z",
"client_ip": "192.168.1.100",
"http": {
"method": "GET",
"path": "/api/data",
"ja4h": "ge11cr15enus_a1b2c3d4e5f6_123456789abc_def012345678"
},
"tls": {
"ja4": "t13d1516h2_8daaf6152771_b186095e22b6",
"ja4s": "t1302h2_1301_a56c5b993250",
"ja4x": "aae71e8db6d7_b186095e22b6_c1a4f9e7d8b3"
},
"tcp": {
"ja4t": "65535_2-4-8-1-3_1460_7",
"ja4l": "12500_64"
}
}
Configuration
Enable TCP Fingerprinting
logging:
tcp_fingerprint:
enabled: true
log_interval_secs: 60
enable_fingerprint_events: true
fingerprint_events_interval_secs: 30
min_packet_count: 3
min_connection_duration_secs: 1
TCP_FINGERPRINT_ENABLED=true
TCP_FINGERPRINT_LOG_INTERVAL=60
Enable BPF Statistics
logging:
bpf_stats:
enabled: true
log_interval_secs: 60
enable_dropped_ip_events: true
dropped_ip_events_interval_secs: 30
BPF_STATS_ENABLED=true
BPF_STATS_LOG_INTERVAL=60
Analyzing Fingerprints
Extract Unique Fingerprints
# Unique JA4 (TLS client) fingerprints
tail -n 1000 /var/log/synapse/access.log | jq -r '.tls.ja4' | sort | uniq -c | sort -rn
# Unique JA4T (TCP) fingerprints
tail -n 1000 /var/log/synapse/access.log | jq -r '.tcp.ja4t' | sort | uniq -c | sort -rn
# Unique JA4H (HTTP) fingerprints
tail -n 1000 /var/log/synapse/access.log | jq -r '.http.ja4h' | sort | uniq -c | sort -rn
# Correlate IP with all fingerprints
tail -n 1000 /var/log/synapse/access.log | jq -r '[.client_ip, .tls.ja4, .tcp.ja4t, .http.ja4h] | @tsv'
Bot Detection
Combine multiple fingerprints to identify automated traffic:
# Group by JA4 fingerprint, find IPs sharing the same fingerprint
tail -n 10000 /var/log/synapse/access.log | jq 'select(.tls.ja4) |
{ip: .client_ip, ja4: .tls.ja4, ja4h: .http.ja4h}' |
jq -s 'group_by(.ja4) | map({ja4: .[0].ja4, count: length, ips: map(.ip) | unique})'
Find Rare Fingerprints
# Rare fingerprints often indicate attack tools or unusual clients
tail -n 10000 /var/log/synapse/access.log | jq -r '.tls.ja4' |
sort | uniq -c | sort -n | head -20
Why JA4+ Matters
Traditional IP-based blocking is easily bypassed. JA4+ fingerprints provide:
- Persistent identification — Fingerprints remain consistent across IP changes
- Evasion resistance — Harder to spoof than User-Agent headers or IP addresses
- Granular detection — Distinguish between different client types sharing the same IP
- Zero-day detection — Identify previously unknown attack tools by their protocol behavior
- Cross-layer correlation — Combine TLS, TCP, HTTP, and latency signals for high-confidence identification
References
License
- JA4 (TLS Client) — BSD 3-Clause License
- JA4S, JA4H, JA4L, JA4LS, JA4T, JA4TS, JA4TScan, JA4X, JA4SSH, JA4D, JA4D6 — FoxIO License 1.1
See JA4 License for details.