code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ja4ebpf): add dst_ip/dst_port to TLS and HTTP plain events for complete L3/L4

Browse Source 
Add dst_ip and dst_port fields to tls_hello_event BPF struct and populate
them in tc_capture.c. Update Go TLS event handler with new byte offsets
(payload[2048]+src_ip(4)+dst_ip(4)+src_port(2)+dst_port(2)+payload_len(2)+
timestamp_ns(8) = 2070 bytes). Read dst_ip/dst_port from HTTP plain events
and use them to populate L3L4 when SYN was not captured, ensuring dst_ip
and dst_port are always available in ClickHouse for both TLS and HTTP sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-15 14:31:46 +02:00
parent 65d833bb18
commit 0975d40609
5 changed files with 44 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
services/ja4ebpf/internal/loader/ja4tc_x86_bpfel.go
View File

@ -61,7 +61,9 @@ type Ja4TcSslReadArgs struct {
type Ja4TcTlsHelloEvent struct {
Payload [2048]uint8
SrcIp uint32
DstIp uint32
SrcPort uint16
DstPort uint16
PayloadLen uint16
TimestampNs uint64
}