From 131b204edf1a76152ad9136998c9b9c054a84fb7 Mon Sep 17 00:00:00 2001 From: toto Date: Wed, 4 Mar 2026 11:07:01 +0100 Subject: [PATCH] fix: improve error logging with source/destination details Logging improvements: - Add src_ip, src_port, dst_ip, dst_port to tlsparse error logs - Add connection details to fingerprint error logs (conn_id, payload_len) - Include 'unknown' placeholders for packets that fail before parsing This helps debug issues with truncated ClientHello payloads and identify problematic connections more easily. Example log output: WARN Failed to generate fingerprints src_ip=192.168.1.10 src_port=54321 dst_ip=10.0.0.1 dst_port=443 conn_id=192.168.1.10:54321->10.0.0.1:443 payload_len=128 error="failed to parse ClientHello: extension data truncated" Co-authored-by: Qwen-Coder Co-authored-by: Qwen-Coder --- cmd/ja4sentinel/main.go | 13 +++++++++++-- internal/fingerprint/engine.go | 8 +++++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/cmd/ja4sentinel/main.go b/cmd/ja4sentinel/main.go index 87e4732..2bc749e 100644 --- a/cmd/ja4sentinel/main.go +++ b/cmd/ja4sentinel/main.go @@ -167,7 +167,11 @@ func main() { clientHello, err := parser.Process(pkt) if err != nil { appLogger.Warn("tlsparse", "Failed to parse TLS ClientHello", map[string]string{ - "error": err.Error(), + "error": err.Error(), + "src_ip": "unknown", + "src_port": "unknown", + "dst_ip": "unknown", + "dst_port": "unknown", }) continue } @@ -186,7 +190,12 @@ func main() { fingerprints, err := fingerprintEngine.FromClientHello(*clientHello) if err != nil { appLogger.Warn("fingerprint", "Failed to generate fingerprints", map[string]string{ - "error": err.Error(), + "error": err.Error(), + "src_ip": clientHello.SrcIP, + "src_port": fmt.Sprintf("%d", clientHello.SrcPort), + "dst_ip": clientHello.DstIP, + "dst_port": fmt.Sprintf("%d", clientHello.DstPort), + "conn_id": clientHello.ConnID, }) continue } diff --git a/internal/fingerprint/engine.go b/internal/fingerprint/engine.go index 5baf55a..ca4f9df 100644 --- a/internal/fingerprint/engine.go +++ b/internal/fingerprint/engine.go @@ -18,17 +18,19 @@ func NewEngine() *EngineImpl { } // FromClientHello generates JA4 (and optionally JA3) fingerprints from a TLS ClientHello -// Note: JA4Hash is populated for internal use but should NOT be serialized to LogRecord +// Note: JA4 hash portion is extracted for internal use but NOT serialized to LogRecord // as the JA4 format already includes its own hash portions (per architecture.yml) func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints, error) { if len(ch.Payload) == 0 { - return nil, fmt.Errorf("empty ClientHello payload") + return nil, fmt.Errorf("empty ClientHello payload from %s:%d -> %s:%d", + ch.SrcIP, ch.SrcPort, ch.DstIP, ch.DstPort) } // Parse the ClientHello using tlsfingerprint fp, err := tlsfingerprint.ParseClientHello(ch.Payload) if err != nil { - return nil, fmt.Errorf("failed to parse ClientHello: %w", err) + return nil, fmt.Errorf("failed to parse ClientHello from %s:%d -> %s:%d (conn_id=%s, payload_len=%d): %w", + ch.SrcIP, ch.SrcPort, ch.DstIP, ch.DstPort, ch.ConnID, len(ch.Payload), err) } // Generate JA4 fingerprint