1 unstable release
0.5.0 | Apr 15, 2023 |
---|
#4 in #ja3
23KB
384 lines
ja3-rs
A small JA3 TLS fingerprinting library written in Rust.
This crate enables a consumer to fingerprint the ClientHello portion of a TLS handshake. It can hash TLS handshakes over IPv4 and IPv6. It heavily depends on the tls-parser project from Rusticata.
It supports generating fingerprints from packet capture files as well as live-captures on a network interface, both using libpcap.
See the original JA3 project for more information.
Example of fingerprinting a packet capture file:
use ja3::Ja3;
let mut ja3 = Ja3::new("test.pcap")
.process_pcap()
.unwrap();
// Now we have a Vec of Ja3Hash objects
for hash in ja3 {
println!("{}", hash);
}
Example of fingerprinting a live capture:
use ja3::Ja3;
let mut ja3 = Ja3::new("eth0")
.process_live()
.unwrap();
while let Some(hash) = ja3.next() {
println!("Hash: {}", hash);
}
Benchmarks
Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
---|---|---|---|---|
ja3 huge-cap.pcap |
153.2 ± 2.3 | 149.8 | 157.2 | 34.85 ± 2.82 |
./target/release/examples/ja3 huge-cap.pcap |
4.4 ± 0.3 | 3.6 | 5.5 | 1.00 |
Dependencies
~6–7.5MB
~147K SLoC