From ebf68937d7cdb29dee7e6b5ed8a3cc3556af34b3 Mon Sep 17 00:00:00 2001
From: thegwan <gwan.email@gmail.com>
Date: Thu, 3 Mar 2022 12:24:10 -0800
Subject: [PATCH 1/3] TLSServerHello.cipher_suite is deprecated and renamed to
 .ciphersuite

---
 python/ja3s.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 python/ja3s.py

diff --git a/python/ja3s.py b/python/ja3s.py
old mode 100644
new mode 100755
index 4ee647d..f39c58d
--- a/python/ja3s.py
+++ b/python/ja3s.py
@@ -131,7 +131,7 @@ def process_pcap(pcap, any_port=False):
             ja3 = [str(server_handshake.version)]
 
             # Cipher Suites (16 bit values)
-            ja3.append(str(server_handshake.cipher_suite))
+            ja3.append(str(server_handshake.ciphersuite))
             ja3 += process_extensions(server_handshake)
             ja3 = ",".join(ja3)
 

From 80b7ce49b1b275a5fa1e4c21cf7b965d4fe5a782 Mon Sep 17 00:00:00 2001
From: thegwan <gwan.email@gmail.com>
Date: Thu, 3 Mar 2022 12:35:49 -0800
Subject: [PATCH 2/3] use integer ID code of chosen ciphersuite instead of the
 object name

---
 python/ja3s.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ja3s.py b/python/ja3s.py
index f39c58d..39fed40 100755
--- a/python/ja3s.py
+++ b/python/ja3s.py
@@ -131,7 +131,7 @@ def process_pcap(pcap, any_port=False):
             ja3 = [str(server_handshake.version)]
 
             # Cipher Suites (16 bit values)
-            ja3.append(str(server_handshake.ciphersuite))
+            ja3.append(str(server_handshake.ciphersuite.code))
             ja3 += process_extensions(server_handshake)
             ja3 = ",".join(ja3)
 

From 77ff0399dcb4ec157e4f382f9f303c6b3e4b08d1 Mon Sep 17 00:00:00 2001
From: thegwan <gwan.email@gmail.com>
Date: Thu, 3 Mar 2022 12:38:44 -0800
Subject: [PATCH 3/3] ja3 --> ja3s

---
 python/ja3s.py | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/python/ja3s.py b/python/ja3s.py
index 39fed40..f1b8af6 100755
--- a/python/ja3s.py
+++ b/python/ja3s.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-"""Generate JA3 fingerprints from PCAPs using Python."""
+"""Generate JA3S fingerprints from PCAPs using Python."""
 
 import argparse
 import dpkt
@@ -36,10 +36,10 @@ def convert_ip(value):
 
 
 def process_extensions(server_handshake):
-    """Process any extra extensions and convert to a JA3 segment.
+    """Process any extra extensions and convert to a JA3S segment.
 
-    :param client_handshake: Handshake data from the packet
-    :type client_handshake: dpkt.ssl.TLSClientHello
+    :param server_handshake: Handshake data from the packet
+    :type server_handshake: dpkt.ssl.TLSServerHello
     :returns: list
     """
     if not hasattr(server_handshake, "extensions"):
@@ -128,19 +128,19 @@ def process_pcap(pcap, any_port=False):
                 continue
 
             server_handshake = handshake.data
-            ja3 = [str(server_handshake.version)]
+            ja3s = [str(server_handshake.version)]
 
-            # Cipher Suites (16 bit values)
-            ja3.append(str(server_handshake.ciphersuite.code))
-            ja3 += process_extensions(server_handshake)
-            ja3 = ",".join(ja3)
+            # Chosen Cipher Suite (16 bit values)
+            ja3s.append(str(server_handshake.ciphersuite.code))
+            ja3s += process_extensions(server_handshake)
+            ja3s = ",".join(ja3s)
 
             record = {"source_ip": convert_ip(ip.src),
                       "destination_ip": convert_ip(ip.dst),
                       "source_port": tcp.sport,
                       "destination_port": tcp.dport,
-                      "ja3": ja3,
-                      "ja3_digest": md5(ja3.encode()).hexdigest(),
+                      "ja3s": ja3s,
+                      "ja3s_digest": md5(ja3s.encode()).hexdigest(),
                       "timestamp": timestamp}
             results.append(record)
 
@@ -148,11 +148,11 @@ def process_pcap(pcap, any_port=False):
 
 
 def main():
-    """Intake arguments from the user and print out JA3 output."""
-    desc = "A python script for extracting JA3 fingerprints from PCAP files"
+    """Intake arguments from the user and print out JA3s output."""
+    desc = "A python script for extracting JA3s fingerprints from PCAP files"
     parser = argparse.ArgumentParser(description=(desc))
     parser.add_argument("pcap", help="The pcap file to process")
-    help_text = "Look for client hellos on any port instead of just 443"
+    help_text = "Look for server hellos on any port instead of just 443"
     parser.add_argument("-a", "--any_port", required=False,
                         action="store_true", default=False,
                         help=help_text)
@@ -184,8 +184,8 @@ def main():
             tmp = '[{dest}:{port}] JA3S: {segment} --> {digest}'
             tmp = tmp.format(dest=record['destination_ip'],
                              port=record['destination_port'],
-                             segment=record['ja3'],
-                             digest=record['ja3_digest'])
+                             segment=record['ja3s'],
+                             digest=record['ja3s_digest'])
             print(tmp)