Python JA4 hash work incorrectly since ciphers are presented as decimals

[slinkinone]

Problem

Part B of the has is calculated incorretly.

ja4.py file; def to_ja4(x, debug_stream) function.

print (x['extensions']) leads to the following output:

['0x0000', '0x000a', '0x000b', '0x000d', '0x0005', '0x0012', '0x0017']

At the same time, print (x['ciphers']) leads to printting:

['255', '49196', '49195', '49188', '49187', '49162', '49161', '49200', '49199', '49192', '49191', '49172', '49171']`

When ciphers goes to def get_hex_sorted(entry, field, sort=True) (common.py) it will lead us to mess, since the code starts cutting the first 2 chars (what is 0x prefix - magic number in code) and with ['255', '49196', '49195', '49188', '49187', '49162', '49161', '49200', '49199', '49192', '49191', '49172', '49171'] input we get c equal to:

['5', '196', '195', '188', '187', '162', '161', '200', '199', '192', '191', '172', '171']

Current output:

t00d130700_47af1d25ce6f_5d57e2904b27

Expected output:

t12d130700_741779f8b445_5d57e2904b27

Please note, tls version is printed as 00 what is mistake as well. I have not found a problem yet.

Useful information

OS

uname -a
Darwin air14.local 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:26 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T8112 arm64

macOS Sequoia 15.5 (24F74)

Launch command

python3 ja4.py ~/projects/slinkin.tech/development/libraries/global/test/pcap_files/tls/tls_client_hello.pcap --verbose --raw_fingerprint

Tshark version

tshark --version
TShark (Wireshark) 4.6.2 (v4.6.2-0-g24d5e2b5a3dc).

Copyright 1998-2025 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compile-time info:
 Bit width: 64-bit
  Compiler: Clang 14.0.3 (clang-1403.0.22.14.1)
      GLib: 2.84.1
 With:
  +brotli                     +MaxMind
  +Gcrypt 1.11.2              +nghttp2 1.65.0
  +GnuTLS 3.8.11 and PKCS#11  +nghttp3 1.9.0
  +Kerberos (MIT)             +PCRE2 10.45 2025-02-05
  +libpcap                    +Snappy 1.2.2
  +libsmi 0.4.8               +xxhash 0.8.3
  +libxml2 2.14.2             +zlib 1.2.11
  +Lua 5.4.7                  +zlib-ng 2.2.4
  +LZ4 1.10.0                 +Zstandard 1.5.7
 Without:
  -POSIX capabilities

Runtime info:
      OS: macOS 15.5, build 24F74 (Darwin 24.5.0)
     CPU: Apple M2
  Memory: 16384 MB of physical memory
    GLib: 2.84.1
  Locale: LC_TYPE=UTF-8
 Plugins: supported, 0 loaded
 With:
  +brotli 1.2.0            +libsmi 0.4.8            +xxhash 803
  +c-ares 1.34.5           +LZ4 1.10.0              +zlib 1.2.12
  +Gcrypt 1.11.2           +nghttp2 1.65.0          +Zstandard 1.5.7
  +GnuTLS 3.8.11           +nghttp3 1.9.0
  +libpcap 1.10.1          +PCRE2 10.45 2025-02-05

Python version

python3 --version
Python 3.13.1

Input file

tls_client_hello.pcap.zip