no JA4 fields in zeek logs

[thenesk]

After installing JA4 into zeek on Ubuntu 24.04 using sudo zkg install zeek/foxio/ja4, I don't see any fields in the zeek logs that look like JA4. The installation appears to be OK:

$ sudo zeekctl check
zeek scripts are ok.
$ sudo zkg list
zeek/foxio/ja4 (installed: v0.18.8) - Official Zeek package for JA4+ network fingerprinting.

But I do not see any field names that look like JA4 when I try some of the test files like:

$ zeek -C -r ../ja4-main/pcap/tls3.pcapng
$ grep -ri ja ./

I tried a few different pcaps, I tried running sudo zeekctl deploy, and I tried adding the @load commands.
Not sure if I am missing something basic, I am new to both zeek and JA4. Let me know if you need any more info.

thanks,
--mark

[J0eJ0h]

If you are just running zeek standalone, you need to have @load packages in your site/local.zeek file

[thenesk]

I tried adding @load packages and @load ja4 at the end of /usr/local/zeek/share/zeek/site/local.zeek, but I am still not seeing any clear signs of JA4 in the logs.

[thenesk]

Not sure if it matters but I am using the current LTS version of zeek, 8.0.4, built from source.

It looks like zkg did install JA4 files in sites as I think it is supposed to:

$ ll /usr/local/zeek/share/zeek/site/
total 20
drwxr-xr-x  3 root root 4096 Nov 26 13:19 ./
drwxr-xr-x 10 root root 4096 Nov 26 11:40 ../
lrwxrwxrwx  1 root root   12 Nov 26 11:55 ja4 -> packages/ja4/
-rw-rw-r--  1 root root 4142 Nov 26 13:19 local.zeek
drwxr-xr-x  3 root root 4096 Nov 26 12:47 packages/

$ ll /usr/local/zeek/share/zeek/site/ja4/
total 56
drwxr-xr-x 11 root root 4096 Nov 26 11:55 ./
drwxr-xr-x  3 root root 4096 Nov 26 12:47 ../
-rw-r--r--  1 root root  537 Nov 26 11:55 config.zeek
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4d/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4h/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4l/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4s/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4ssh/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4t/
drwxr-xr-x  2 root root 4096 Nov 26 11:55 ja4x/
-rw-r--r--  1 root root  472 Nov 26 11:55 __load__.zeek
-rw-r--r--  1 root root 1610 Nov 26 11:55 README.md
drwxr-xr-x  2 root root 4096 Nov 26 11:55 utils/

Let me know if there is anything else I should try.
thanks,
Mark

[thenesk]

I figured out the issue, I didn't realize that zeek does not execute the site directory by default when invoked directly. A solution is to add the word local, causing zeek to execute the local.zeek script in the site directory.

$ zeek -C -r ../ja4-main/pcap/tls3.pcapng local

Might be worth adding this to the readme in case other's have the same confusion.