Skip to content

v0.4.0: QUIC support, IPv6, TCP reassembly, bug fixes#8

Merged
Crank-Git merged 18 commits into
masterfrom
v0.4.0
Apr 7, 2026
Merged

v0.4.0: QUIC support, IPv6, TCP reassembly, bug fixes#8
Crank-Git merged 18 commits into
masterfrom
v0.4.0

Conversation

@Crank-Git
Copy link
Copy Markdown
Owner

@Crank-Git Crank-Git commented Apr 7, 2026

Summary

  • QUIC Initial packet parsing (RFC 9001/9369) — auto-detected on UDP, decrypts Initial packets to extract TLS ClientHello, produces q protocol prefix in JA4 fingerprints
  • IPv6 support — all fingerprinters (JA4L, JA4SSH, JA4X) now handle both IPv4 and IPv6 via new packet_utils helpers
  • TCP stream reassembly — new sequence-aware TCPStreamReassembler used by JA4H (multi-segment HTTP) and JA4X (out-of-order certificate delivery)
  • Bug fix: JA4SSH direction detection — lower port now correctly identified as server on non-standard SSH ports
  • Documentationdocs/implementation_notes.md documenting all undocumented spec deviations for Go port reference

New files

File Purpose
ja4plus/utils/quic_utils.py QUIC v1/v2 Initial decryption pipeline
ja4plus/utils/tcp_stream.py Sequence-aware TCP stream reassembly
ja4plus/utils/packet_utils.py IPv4/IPv6 abstraction helpers
docs/implementation_notes.md Spec deviation documentation
6 new test files 48 new tests

Test plan

  • All 473 tests pass (425 original + 48 new)
  • Cross-validate QUIC fingerprints against Go implementation
  • Test with real QUIC pcap captures (e.g. Chrome → google.com)
  • Verify IPv6 fingerprints match IPv4 for same TLS ClientHello

🤖 Generated with Claude Code

Crank-Git and others added 18 commits April 6, 2026 21:54
@Crank-Git
docs: add implementation notes for undocumented behaviors and known i…
172d554 
…ssues
@Crank-Git
feat: add packet_utils with IPv4/IPv6 helpers
c6258c1
@Crank-Git
fix: correct JA4SSH direction detection on non-standard ports
064d8c3 
Lower port is now correctly identified as server, not client.
Previously the logic was inverted: src_port < dst_port made src
the client, but conventionally the lower (listening) port is the
server side.
@Crank-Git @claude
feat: add sequence-aware TCP stream reassembly
4ae6647 
Handles out-of-order segments, duplicates, overlaps, and gap detection.
Used by JA4H and JA4X for multi-segment payload reassembly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Crank-Git
Merge branch 'worktree-agent-a6ccea23'
1e52d50
@Crank-Git
Merge branch 'worktree-agent-a18b4b64'
12d9617
@Crank-Git
Merge branch 'worktree-agent-a5dc1784'
36f919c
@Crank-Git @claude
feat: add IPv6 support to all fingerprinters
75f3805 
JA4L, JA4SSH, and JA4X now use get_ip_layer() to handle both IPv4
and IPv6 packets. JA4T/JA4TS already worked (TCP-only checks).
JA4/JA4S/JA4H work via extract_tls_info/extract_http_info which
operate on Raw layer regardless of IP version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Crank-Git @claude
feat: add TCP stream reassembly to JA4H
39e6720 
HTTP requests spanning multiple TCP segments are now reassembled
before parsing. Uses TCPStreamReassembler for sequence-aware
reassembly. Single-packet requests continue to work as before.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Crank-Git @claude
feat: add QUIC Initial packet parsing (RFC 9001/9369)
ebea186 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Crank-Git
fix: use sequence-aware TCP reassembly in JA4X
a2f565d 
Replaces naive arrival-order stream concatenation with
TCPStreamReassembler for correct handling of out-of-order TCP
segments during certificate extraction.
@Crank-Git
Merge branch 'worktree-agent-abffa38a'
404e05c 
# Conflicts:
#	ja4plus/utils/packet_utils.py
@Crank-Git
Merge branch 'worktree-agent-adebce25'
525562d
@Crank-Git
Merge branch 'worktree-agent-aa73109b'
54c77c8 
# Conflicts:
#	ja4plus/utils/packet_utils.py
#	ja4plus/utils/tcp_stream.py
@Crank-Git
Merge branch 'worktree-agent-acdd7ef0'
bde016b
@Crank-Git
fix: correct test_reset to use reassembler.streams attribute
494c2ac
@Crank-Git
feat: integrate QUIC parsing into extract_tls_info
0963533 
UDP packets are now checked for QUIC Initial data before falling
through to standard TLS parsing. QUIC ClientHellos produce tls_info
dicts with is_quic=True, triggering the 'q' protocol prefix in JA4.
@Crank-Git @claude
docs: update for v0.4.0 - QUIC, IPv6, reassembly, bug fixes
c1a1e0f 
Adds QUIC section to usage guide, new utilities to API reference,
and bumps version to 0.4.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Crank-Git Crank-Git merged commit a98f99d into master Apr 7, 2026
7 checks passed
@Crank-Git Crank-Git deleted the v0.4.0 branch April 7, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Crank-Git