JA4D and JA4D6: DHCP Fingerprinting
John Althouse
Nov 19, 2025
TL;DR
JA4D and JA4D6 are the latest additions to JA4+ and allow for easy device/operating system identification at the moment a device connects to the network, regardless of MAC address and without the need for network scanning. It’s perfect for locked-down environments, identifying hacking tools, or just knowing what’s on the network.
JA4+
JA4+ is a modular suite of network fingerprints that are easy to use and easy to share. These fingerprints have integrations in over 50 tools and products including Wireshark, Arkime, Zeek, Palo Alto Networks, Vectra, ExtraHop, eSentire, Fastly, and F5. JA4D and JA4D6 are the latest additions to the JA4+ family.
JA4+ Network Fingerprints | ||
Full Name | Short Name | Description |
JA4 | JA4 | TLS Client Fingerprinting |
JA4Server | JA4S | TLS Server Response / Session Fingerprinting |
JA4HTTP | JA4H | HTTP Client Fingerprinting |
JA4Latency | JA4L | Client to Server Latency Measurement / Light Distance |
JA4LatencyServer | JA4LS | Server to Client Latency Measurement / Light Distance |
JA4X509 | JA4X | X509 TLS Certificate Fingerprinting |
JA4SSH | JA4SSH | SSH Traffic Fingerprinting |
JA4TCP | JA4T | TCP Client Fingerprinting |
JA4TCPServer | JA4TS | TCP Server Response Fingerprinting |
JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner |
JA4DHCP | JA4D | DHCP Fingerprinting |
JA4DHCPv6 | JA4D6 | DHCPv6 Fingerprinting |
More information on JA4+ is available on our GitHub: https://github.com/FoxIO-LLC/ja4
JA4DHCP
JA4D fingerprints traditional DHCP messages over IPv4 while JA4D6 fingerprints DHCPv6 messages over IPv6. Together, they provide the ability to easily identify devices on a network without the need to rely solely on network interface MAC addresses.
As with the rest of JA4+, the fingerprints are split up into a_b_c delimited sections for easy cross-correlation and are designed to be human readable as well as machine usable. The first part of the fingerprint is the DHCP message type. There are 57 possible message types but the most common are associated with new requests.
For a new DHCP request the standard procedure is: disco → offer → reqst → dpack
IANA Type | JA4D 5-character Code | Meaning |
|---|---|---|
DHCPDISCOVER | disco | Client is looking for an IPv4 address and DHCP server |
DHCPOFFER | offer | Server is offering an IPv4 address |
DHCPREQUEST | reqst | Client is requesting that specific IPv4 address |
DHCPACK | dpack | Server has agreed to the request |
For a new DHCPv6 request the standard procedure is: solicit → advert → reqst → reply
IANA Type | JA4D6 5-character Code | Meaning |
SOLICIT | solct | Client is looking for an IPv6 address and a DHCPv6 server |
ADVERTISE | advrt | Server is offering an IPv6 address |
REQUEST | reqst | Client is requesting that specific IPv6 address |
REPLY | reply | Server has agreed to the request |
Therefore, common JA4D/6 fingerprints for identifying a client are disco, reqst and solct.
Common JA4D/6 fingerprints for identifying the DHCP server are offer, dpack, advert and reply.
Examples
JA4+ Fingerprints | Operating System | Device |
ja4d == disco1500nn_61-57-60-12-55_1-3-6-15-26-28-51-58-59-43-114-108 | Android 16 | Samsung Phone |
ja4d == reqst1500in_61-57-60-12-55_1-3-6-15-26-28-51-58-59-43-114-108 | Android 16 | Samsung Phone |
ja4d == disco0000nn_61-12-60-55_1-3-6-15-31-33-43-44-46-47-119-121-249-252 | Windows 10/11 | Desktop/Laptop |
ja4d == reqst0000id_61-12-60-55_1-3-6-15-31-33-43-44-46-47-119-121-249-252 | Windows 10/11 | Desktop/Laptop |
ja4d6 == solct0014nn_8-1-3-39-16-6_17-23-24-39 | Windows 10/11 | Desktop/Laptop |
ja4d6 == reqst0014nn_8-1-2-3-5-39-16-6_17-23-24-39 | Windows 10/11 | Desktop/Laptop |
ja4d == reqst0576nn_57-55-12-60-61_1-3-6-12-15-28-42 | Embedded Linux 1.34 | Ubiquiti Cameras |
ja4d == reqst0576nn_57-55-60-12_1-3-6-15-28-42-121 | Embedded Linux 1.30 | Phillips Hue Bridge |
ja4d == reqst0576nn_61-57-55-60-12_1-3-6-12-15-28-42-43 | Ubiquiti | Ubiquiti Hardware |
ja4d == disco1500nn_57-55-60-61-12_1-2-3-6-69 | EMLAB | LIFX Smart Bulbs |
ja4d == disco0576nn_57-55-61-12_1-3-26-252-42-15-6-12 | LG | LG WebOS TV |
ja4d == disco0576nn_57-55-61-12_1-3-26-252-43-42-6-12 | Samsung | Samsung TV |
ja4d == reqst0000nn_61-12-55_1-3-6-12-15-28 | Epson | Epson Printer |
JA4D/6 makes identifying devices on a network trivial and is far more effective than existing methods. For example, Ubiquiti identifies this device as a “Fractal Design Node 304” and it lists the OS as “Others”.
Looking at the same MAC address on Arkime we can easily see that the device has a JA4D matching Windows 10/11 in the chart above. No network scanning needed, JA4D is able to identify devices the moment they plug into the network, regardless of MAC address.
JA4D/6 can be extremely valuable in locked-down networks where only a certain operating system is allowed on the network. In those cases, one could utilize JA4D/6 to be notified of a violation the moment an unauthorized operating system connects, without the need to wait for traditional network scans to run.
Malware Detection
A common tool used by Red Teams and threat actors is Pretender. This tool exploits the fact that most internal corporate networks are setup for IPv4 only, yet all devices in those networks not only support IPv6, but prefer it. By using Pretender on a compromised system, the threat actor can effectively take over a network by advertising itself as the DHCPv6 server, which devices will prefer over the existing DHCP server, and intercept/redirect DNS, authentication, Kerberos, and other traffic.
In an IPv4 only network, you may see JA4D6 == solict* because some systems regularly look for a DHCPv6 server. So simply looking for DHCPv6 traffic will not help identify this type of attack.
However, in an IPv4 only environment, you should never see JA4D6 == reply* and if you do, an attack might be under way.
At the time of writing, the Pretender tool produces the following JA4D6 fingerprints:
Pretender JA4D6 Fingerprints as of Nov. 2025 |
advrt0018nn_1-2-23-3-5_00 |
reply0018nn_1-2-23-3-5_00 |
advrt0014nn_1-2-23-3-5_00 |
reply0014nn_1-2-23-3-5_00 |
advrt0010nn_1-2-23-3-5_00 |
reply0010nn_1-2-23_00 |
If you’re a Red Teamer (hi Hector!) and you’re thinking, “oh no, this detects one of my favorite attack methods!” I think you can rest easy knowing very few companies monitor their internal network traffic. However, if they did, and with JA4+, well that would be cause for some very positive recognition in the post engagement report.
JA4D/6 are immediately available for free under the FoxIO License on Arkime, Wireshark, and Zeek, with support on Vectra, ExtraHop, and others coming soon.
A database of JA4D/6 fingerprints will be available on the new JA4DB in the coming weeks.
Zeek example:
If you already have the Zeek ja4+ plugin installed via zkg, then you only need to run “zkg upgrade” to have JA4D support. Be aware, Zeek does not currently support DHCPv6. Until that is in, you will have ja4d.log but not ja4d6.log.
Wireshark example:
The latest JA4+ plugin for Wireshark 4.6+ can be found on our GitHub Releases.
Akime example:
The easiest way to get started with JA4+ on Arkime is to utilize their Docker deployment: https://arkime.com/udr7