Technical Deep Dive
How the JA4T Analysis Engine Works
The TCP handshake reveals the sender's OS, network path, and tool — before a single byte of application data is exchanged.
64240
Window Size
_
2-4-8-1-3
TCP Options
_
1460
MSS
_
9
Window Scale
Background
What is JA4T?
JA4T is a passive TCP fingerprint extracted from the SYN packet — the very first packet a client sends when opening a connection. It is captured at the network layer, before TLS negotiation or any HTTP traffic.
💡
The OS kernel, not the application, controls what goes into a SYN packet. A browser, a Python script, and a port scanner all produce different TCP fingerprints even when running on the same machine, because the tool controls how much of the TCP standard it implements.
🔬
Captured At
TCP layer — Layer 4. Before TLS, before HTTP, before any authentication.
🛡️
Passive
No active probing. The fingerprint is read from normal connection traffic.
🔒
Hard to Fake
Changing MSS or options without kernel-level access breaks the TCP connection.
📐
4 Fields
Window size, TCP options list, MSS, window scale — each carries independent signal.
Field 2 of 4
TCP Options — OS Identification
The options field is the most diagnostic. Each operating system's kernel includes a specific list of TCP options in a specific order, hardcoded into the networking stack.
Code
Option Name
What it does
2
MSS — Maximum Segment Size
Declares the max payload size the sender accepts
4
SACK Permitted
Enables selective acknowledgement — faster retransmit
8
Timestamps
Enables RTT measurement and PAWS (replay protection)
1
NOP — No Operation
Padding byte to align options to 4-byte boundaries
3
Window Scale
Multiplies the window size — required for high-speed links
The sequence and selection of these codes is the fingerprint. Different OSes include different subsets in different orders:
| Options Sequence |
Identified OS |
Key Signal |
|
2-4-8-1-3
|
🐧 Linux kernel 4.x+ |
SACK before Timestamp; ends with Window Scale |
|
2-1-3-1-1-4
|
🪟 Windows 10 / 11 |
No Timestamp (code 8); SACK at the end |
|
2-1-3-1-1-8-4-0-0
|
🍎 macOS / iOS |
Timestamp after Window Scale; EOL padding (0-0) |
|
2-1-3
|
🤖 Minimal stack — scanner / bot |
HIGH RISK only 3 options — no real OS does this |
⚠️
A real operating system always sends 5 or more options. A sequence of only 2–3 options means the sender is using a custom TCP implementation — characteristic of Nmap, Masscan, ZMap, or custom scanner tooling. Risk score: 9/10.
Field 3 of 4
MSS — Network Path Topology
The Maximum Segment Size reveals the physical and virtual network infrastructure between the attacker and the target. Every encapsulation layer adds overhead, which reduces the available payload size.
Standard Ethernet frame = 1500 bytes total
Direct (MSS 1460)
IP 20B
TCP 20B
← payload 1460B →
VPN (MSS 1380)
IP 20B
TCP 20B
VPN 80B
payload 1380B
Heavy tunnel (MSS 1360)
IP 20B
TCP 20B
tunnel 120B
payload 1360B
| MSS |
Overhead |
Bar |
Network Condition |
Notes |
| 1460 |
40B |
|
Direct Ethernet (MTU 1500) |
CLEAN |
| 1452 |
48B |
|
PPPoE DSL connection |
|
| 1424 |
76B |
|
Unencrypted proxy / tunnel |
Tencent scanner sig |
| 1400 |
100B |
|
Light tunnel / proxy |
TUNNEL |
| 1380 |
120B |
|
VPN — WireGuard / OpenVPN / IPSec |
VPN |
| 1360 |
140B |
|
Heavy tunnel / double encapsulation |
HEAVY |
| 8960+ |
jumbo |
|
Datacenter — Jumbo frames (MTU 9000) |
DATACENTER |
🔭
MSS is physics-constrained — you cannot advertise a higher MSS than the actual path MTU allows without causing packet fragmentation that breaks the connection. This makes it a reliable indicator of network topology.
Scoring Logic
Risk Score — Composite 1–10
The score combines OS identification confidence, MSS anomaly, and window size anomaly into a single threat signal. Higher score = less expected for legitimate traffic.
9
Scanner / Bot Signature
TCP options list has fewer than 4 entries. No real OS does this — only custom tools that implement the minimum required TCP.
options ≤ 3
Nmap / Masscan
9
Datacenter + Unknown OS
Jumbo frame MSS combined with non-standard TCP options. Indicates a datacenter tool or cloud-hosted bot with a custom network stack.
MSS ≥ 8960
unknown options
8
Unknown OS + Window Anomaly
TCP options don't match any known OS pattern, and the window size is non-standard. Strong signal of a custom tool.
unrecognised options
odd window
7
Unknown OS
TCP options don't match Linux, Windows, macOS, or any known OS family. Could be embedded device, custom firmware, or obfuscation tooling.
unrecognised options
6
Known OS + Unusual Network
Recognised OS fingerprint but unusual MSS or non-standard window size. Legitimate traffic but warrants attention.
known OS
odd MSS or window
3
Known OS via VPN
Recognised OS with VPN-typical MSS (1380). Expected for legitimate VPN users — not inherently malicious.
known OS
MSS 1380
2
Known OS + Direct Connection
Recognised OS fingerprint with standard ethernet MSS. Baseline normal traffic.
known OS
MSS 1460
+2
Tool Rotation Bonus
Same source IP observed with multiple different JA4T fingerprints within the time window. Indicates active tool switching — capped at 10.
1 IP → N fingerprints
Advanced Detection
Fingerprint Instability — Tool Rotation
A real user on a single machine produces a consistent fingerprint. When the same IP address is seen with multiple different JA4T values, it indicates the attacker is switching tools mid-attack.
Example: Same IP, different tools
Alert window: 6 hours
09:12
64.39.102.94
64240_2-4-8-1-3_1460_9
Browser / curl
normal
09:45
64.39.102.94
17920_2-1-3_1380_8
Custom scanner via VPN
⚑ different FP
10:03
64.39.102.94
42340_2-1-3_1460_9
Different scanner tool
⚑ 3rd fingerprint
Result: all fingerprints associated with this IP receive +2 risk bonus — capped at 10.
External Intelligence
JA4DB — Cross-Reference Database
JA4DB is a community-maintained database of 288,240+ fingerprints mapped to known software, scanners, malware families, and legitimate clients. The engine queries it in three stages.
1
EXACT
Full JA4T string match against ja4t_fingerprint field. Highest confidence — identifies the specific tool version.
2
PARTIAL
Match by TCP options segment only → identifies OS family. Then window+options → closer match. Used when exact is unavailable.
3
XREF
If the same alert carries a extra.ja4 (TLS) or extra.ja4h (HTTP) fingerprint, those are also looked up and linked to the JA4T result.
📚
A verified match means someone captured real traffic, confirmed the tool identity, and submitted it to the database. Unverified matches are inferred from partial signatures and are lower confidence.
🔐 Why This Can't Be Easily Faked
⚙️
Kernel-controlled
TCP SYN parameters are set by the OS kernel, not the application. A Python script cannot change the TCP options its SYN packet includes without kernel-level socket raw access.
📡
MSS is physics
Advertising an MSS higher than the actual path MTU causes packet fragmentation that breaks TCP performance. The network enforces the true value.
🪪
Pre-application
The SYN packet is sent before TLS, before HTTP, before any User-Agent string. Spoofing the application layer doesn't affect it.
🔄
Consistency reveals intent
Legitimate users produce stable fingerprints. Multiple different fingerprints from one IP within hours is itself a high-confidence attack signal — even if each individual fingerprint looks innocent.