1 unstable release

0.5.0 Apr 15, 2023

#4 in #ja3

BSD-3-Clause

23KB
384 lines

ja3-rs

crates.io Build Status Documentation license

A small JA3 TLS fingerprinting library written in Rust.

This crate enables a consumer to fingerprint the ClientHello portion of a TLS handshake. It can hash TLS handshakes over IPv4 and IPv6. It heavily depends on the tls-parser project from Rusticata.

It supports generating fingerprints from packet capture files as well as live-captures on a network interface, both using libpcap.

See the original JA3 project for more information.

Example of fingerprinting a packet capture file:

use ja3::Ja3;

let mut ja3 = Ja3::new("test.pcap")
                    .process_pcap()
                    .unwrap();

// Now we have a Vec of Ja3Hash objects
for hash in ja3 {
    println!("{}", hash);
}

Example of fingerprinting a live capture:

use ja3::Ja3;

let mut ja3 = Ja3::new("eth0")
                    .process_live()
                    .unwrap();
while let Some(hash) = ja3.next() {
    println!("Hash: {}", hash);
}

Benchmarks

Command Mean [ms] Min [ms] Max [ms] Relative
ja3 huge-cap.pcap 153.2 ± 2.3 149.8 157.2 34.85 ± 2.82
./target/release/examples/ja3 huge-cap.pcap 4.4 ± 0.3 3.6 5.5 1.00

Dependencies

~5.5–7.5MB
~146K SLoC