Possible inconsistency in the number of extensions in JA4S

[rubende]

Hello.

I'm seeing something that doesn't fit in the JA4S calculation. The third field (after the protocol and TLS version) is, if I understand correctly, the number of extensions in the ServerHello packet.

Currently, in Wireshark, I am seeing a single extension in a ServerHello, with the number 65281. This matches at the byte level, and using PcapPlusPlus I come to the same conclusion. I am attaching a Wireshark screenshot.

The Python code in this repository that calculates the JA4S applies the following lines:

`x['extensions'] = [ '{:04x}'.format(int(k)) for k in x['extensions'] ]

ext_len = '{:02d}'.format(min(len(x['extensions']), 99))`

This tells me that there are five extensions, not one, and that these five are:
['0006', '0005', '0002', '0008', '0001']

This implies that the Python code is not counting the number of extensions, but rather the number of bytes in the extensions. Is this correct, or is it a bug in the JA4S calculation?

Thank you.

[vlvkobal]

Closing this issue based on the current state of the code.

I merged #282, then re-checked all golden files under python/test/testdata. For every entry that includes JA4S, ext_len matches the count in server_extensions and also matches what’s reflected in JA4S_r. I didn’t find any discrepancies, so I believe there’s no issue anymore.

If you spot any flaws again or have a repro case, please feel free to reopen this issue.