Crate ja3_livecapture

source ·
Expand description

JA3 Hash

A small TLS fingerprinting library written in Rust.

This crate enables a consumer to fingerprint the ClientHello portion of a TLS handshake. It can hash TLS handshakes over IPv4 and IPv6. It heavily depends on the tls-parser project from Rusticata.

It supports generating fingerprints from packet capture files as well as live-captures on a network interface, both using libpcap.

See the original JA3 project for more information.

Example of fingerprinting a packet capture file:

use ja3::Ja3;

let mut ja3 = Ja3::new("test.pcap")
                    .process_pcap()
                    .unwrap();

// Now we have a Vec of Ja3Hash objects
for hash in ja3 {
    println!("{}", hash);
}

Example of fingerprinting a live capture:

use ja3::Ja3;

let mut ja3 = Ja3::new("eth0")
                    .process_live()
                    .unwrap();
while let Some(hash) = ja3.next() {
    println!("{}", hash);
}

Structs

  • A JA3 hash builder. This provides options about how to extract a JA3 hash from a TLS handshake.
  • The output of a JA3 hash object. This consists of the JA3 string and MD5 hash.
  • Iterator of JA3 hashes captured during a live capture.