code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ja4ebpf): add dst_ip/dst_port to TLS and HTTP plain events for complete L3/L4

Browse Source 
Add dst_ip and dst_port fields to tls_hello_event BPF struct and populate
them in tc_capture.c. Update Go TLS event handler with new byte offsets
(payload[2048]+src_ip(4)+dst_ip(4)+src_port(2)+dst_port(2)+payload_len(2)+
timestamp_ns(8) = 2070 bytes). Read dst_ip/dst_port from HTTP plain events
and use them to populate L3L4 when SYN was not captured, ensuring dst_ip
and dst_port are always available in ClickHouse for both TLS and HTTP sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-15 14:31:46 +02:00
parent 65d833bb18
commit 0975d40609
5 changed files with 44 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
services/ja4ebpf/bpf/tc_capture.c
View File

@ -209,12 +209,16 @@ int capture_tc(struct __sk_buff *ctx)
return TC_ACT_OK;
tls_evt->src_ip = 0;
tls_evt->dst_ip = 0;
tls_evt->src_port = 0;
tls_evt->dst_port = 0;
tls_evt->payload_len = 0;
tls_evt->timestamp_ns = 0;
tls_evt->src_ip = bpf_ntohl(src_ip);
tls_evt->dst_ip = bpf_ntohl(dst_ip);
tls_evt->src_port = src_port;
tls_evt->dst_port = dst_port;
tls_evt->timestamp_ns = bpf_ktime_get_ns();
/* Copie via bpf_skb_load_bytes avec tailles constantes en cascade.