Akamai对抗的隐秘战线——TLS指纹

Python技术杂谈 2026-07-13 12:09:13 阅读(17) 评论(0)

调试 Akamai 站点爬虫时发现,Requests 默认发包极易被风控识别拦截,单纯修改请求头完全无法规避。

为搞懂底层识别逻辑,本文从零梳理 TLS 握手、JA3/JA4 指纹核心原理,搭配 Wireshark 抓包对比脚本与浏览器的数据包差异,拆解指纹识别完整链路,最后给出复刻浏览器 TLS 特征、自建请求库的实操方案。

背景科普

在动手抓包之前,科普一些名词。

1. TLS 握手/ClientHello 是什么?
访问 https:// 网站时,在专属数据之前时,客户端会先给服务器发一个 ClientHello的包,里面包含着加密套件,扩展程序这些关键信息,不同版本的客户端携带的内容不一样。

2. 为什么能当「指纹」?
关键在于——这个 ClientHello明文发的(加密还没建立起来),任何人都能看到里面全部内容。而且不同客户端(Chrome、Firefox、requests)携带的内容都不一致,但每个客户端携带的内容每次都很相似,所以通过这个可以来进行判断客户端。

3. JA3 / JA4 是什么?
客户端发送ClientHello时,将 加密套件、 扩展等相关信息按一定的规则来计算成hash,当作这个客户端的指纹 ID。服务器 / WAF(如 Akamai)手里有一份「已知浏览器指纹库」,来一个请求就算一次指纹去比对:对得上真浏览器就放行,对不上就当成脚本拦掉。

4. 那 requests 为什么老是被认出来?
因为 requests 底层是 OpenSSL,它的 ClientHello 是OpenSSL,对于校验严格会一下识别出来。而且这发生在 TLS 握手阶段,比 HTTP 请求还早—所以你就算把 User-Agent 改成 Chrome 也没用。

指纹检测的流程

Akamai对抗的隐秘战线——TLS指纹

0. 版本信息

requests 2.34.2
firefox 152.0.5
chrome 150.0.7871.115
wireshark v4.6.7-0-gb439fb7b47a9

1. wireshark抓包

一般的抓包软件很难找到相关的请求信息,wireshark作为老牌的网络工具,功能齐全。

打开抓包软件,我在虚拟机进行,捕获的接口为 Ethernet0(以太网)

image-20260709192741169
image-20260709192741169

使用 requests 请求发包

import requests

resp = requests.get("https://example.com/").text
print(resp)

发出请求后,wireshark已经出现Client Hello相关流量。

image-20260709192851251
image-20260709192851251
image-20260709193244197
image-20260709193244197

抓包的信息相关解释如下表格

英文(Wireshark 显示) 中文名称
Frame 帧 / 抓包元信息
Ethernet II 以太网(链路层帧头)
Internet Protocol Version 4 网际协议第 4 版(IPv4)
Transmission Control Protocol 传输控制协议(TCP)
Transport Layer Security 传输层安全协议(TLS)重点关注★

重点关注 Transport Layer Security 这里。接下来关注firefoxchrome的请求

2. Client Hello完整数据包

2.1 Python Requests库

Frame 4: Packet, 1587 bytes on wire (12696 bits), 1587 bytes captured (12696 bits) on interface \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E})
        Interface name: \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}
        Interface description: Ethernet0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  9, 2026 18:43:38.870598400 中国标准时间
    UTC Arrival Time: Jul  9, 2026 10:43:38.870598400 UTC
    Epoch Arrival Time: 1783593818.870598400
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 12.361700 milliseconds]
    [Time delta from previous displayed frame: 12.361700 milliseconds]
    [Time since reference or first frame: 226.679200 milliseconds]
    Frame Number: 4
    Frame Length: 1587 bytes (12696 bits)
    Capture Length: 1587 bytes (12696 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: VMware_23:87:c9 (00:0c:29:23:87:c9), Dst: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
    Destination: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_23:87:c9 (00:0c:29:23:87:c9)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 0]
Internet Protocol Version 4, Src: 192.168.31.163, Dst: 172.66.147.243
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    [Total Length: 1573 bytes (reported as 0, presumed to be because of "TCP segmentation offload" (TSO))]
    Identification: 0x2bef (11247)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.31.163
    Destination Address: 172.66.147.243
    [Stream index: 0]
Transmission Control Protocol, Src Port: 55171, Dst Port: 443, Seq: 1, Ack: 1, Len: 1533
    Source Port: 55171
    Destination Port: 443
    [Stream index: 0]
    [Stream Packet Number: 4]
    [Conversation completeness: Complete, WITH_DATA (31)]
        ..0. .... = RST: Absent
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ·FDASS]
    [TCP Segment Len: 1533]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 2825017551
    [Next Sequence Number: 1534    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 133989241
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 1028
    [Calculated window size: 263168]
    [Window size scaling factor: 256]
    Checksum: 0x2088 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 226.679200 milliseconds]
        [Time since previous frame in this TCP stream: 12.361700 milliseconds]
    [SEQ/ACK analysis]
        [iRTT: 214.317500 milliseconds]
        [Bytes in flight: 1533]
        [Bytes sent since last PSH flag: 1533]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (1533 bytes)
Transport Layer Security
    [Stream index: 0]
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 1528
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 1524
            Version: TLS 1.2 (0x0303)
                [Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [Severity level: Chat]
                    [Group: Deprecated]
            Random: 2451d4ff61edf485b8b8accbfdd26a9ef0af2b4c9b6221263336fa6353b02052
            Session ID Length: 32
            Session ID: 38c3f18427ff8ef741e758b6e9298dba7654295b8b651cb5cbda7c5bd6bbe5f6
            Cipher Suites Length: 34
            Cipher Suites (17 suites)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 1417
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: server_name (len=16) name=example.com
                Type: server_name (0)
                Length: 16
                Server Name Indication extension
                    Server Name list length: 14
                    Server Name Type: host_name (0)
                    Server Name length: 11
                    Server Name: example.com
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: supported_groups (len=18)
                Type: supported_groups (10)
                Length: 18
                Supported Groups List Length: 16
                Supported Groups (8 groups)
                    Supported Group: X25519MLKEM768 (0x11ec)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: x448 (0x001e)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: ffdhe2048 (0x0100)
                    Supported Group: ffdhe3072 (0x0101)
            Extension: application_layer_protocol_negotiation (len=11)
                Type: application_layer_protocol_negotiation (16)
                Length: 11
                ALPN Extension Length: 9
                ALPN Protocol
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: encrypt_then_mac (len=0)
                Type: encrypt_then_mac (22)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: post_handshake_auth (len=0)
                Type: post_handshake_auth (49)
                Length: 0
            Extension: signature_algorithms (len=54)
                Type: signature_algorithms (13)
                Length: 54
                Signature Hash Algorithms Length: 52
                Signature Hash Algorithms (26 algorithms)
                    Signature Algorithm: mldsa65 (0x0905)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: mldsa87 (0x0906)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: mldsa44 (0x0904)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ed25519 (0x0807)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (7)
                    Signature Algorithm: ed448 (0x0808)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (8)
                    Signature Algorithm: ecdsa_brainpoolP256r1tls13_sha256 (0x081a)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (26)
                    Signature Algorithm: ecdsa_brainpoolP384r1tls13_sha384 (0x081b)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (27)
                    Signature Algorithm: ecdsa_brainpoolP512r1tls13_sha512 (0x081c)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (28)
                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (9)
                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (10)
                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (11)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: SHA224 RSA (0x0301)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 DSA (0x0302)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA256 DSA (0x0402)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA384 DSA (0x0502)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA512 DSA (0x0602)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: DSA (2)
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 5
                Supported Versions length: 4
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: key_share (len=1258) X25519MLKEM768, x25519
                Type: key_share (51)
                Length: 1258
                Key Share extension
                    Client Key Share Length: 1256
                    Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
                        Group: X25519MLKEM768 (4588)
                        Key Exchange Length: 1216
                        Key Exchange […]: 3ff925d9d94eeedb2bf897bff6b4a31d107d04176d592aa16b0442e144331809598d3b9db7880ac5a18b5812af16339783470ce0079e65b68664923051f7c65a553a13911775296ecae8b836e12afea2c32f009a7c9c8ee0301866ec6136ea14fa0376d164b5f946be295bb8116
                    Key Share Entry: Group: x25519, Key Exchange length: 32
                        Group: x25519 (29)
                        Key Exchange Length: 32
                        Key Exchange: b09c22d452ad7367b4ceb4aabb72aa94f24fc34ce0e7c2ae15799359e847eb2d
            [JA4: t13d1712h1_ab0a1bf427ad_882d495ac381]
            [JA4_r […]: t13d1712h1_0067,006b,009e,009f,1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9_000a,000b,000d,0016,0017,002b,002d,0031,0033,ff01_0905,0906,0904,0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,]
            [JA3 Fullstring: 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103,65281-0-11-10-16-22-23-49-13-43-45-51,4588-29-23-30-24-25-256-257,0-1-2]
            [JA3: 7291ea5e449f2c7b17582541703e549d]

2.2 Firefox

Frame 10: Packet, 1948 bytes on wire (15584 bits), 1948 bytes captured (15584 bits) on interface \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E})
        Interface name: \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}
        Interface description: Ethernet0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  9, 2026 18:41:00.724424600 中国标准时间
    UTC Arrival Time: Jul  9, 2026 10:41:00.724424600 UTC
    Epoch Arrival Time: 1783593660.724424600
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 618.600 microseconds]
    [Time delta from previous displayed frame: 618.600 microseconds]
    [Time since reference or first frame: 1.997454400 seconds]
    Frame Number: 10
    Frame Length: 1948 bytes (15584 bits)
    Capture Length: 1948 bytes (15584 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: VMware_23:87:c9 (00:0c:29:23:87:c9), Dst: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
    Destination: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_23:87:c9 (00:0c:29:23:87:c9)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 1]
Internet Protocol Version 4, Src: 192.168.31.163, Dst: 172.66.147.243
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    [Total Length: 1934 bytes (reported as 0, presumed to be because of "TCP segmentation offload" (TSO))]
    Identification: 0x2bcf (11215)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.31.163
    Destination Address: 172.66.147.243
    [Stream index: 2]
Transmission Control Protocol, Src Port: 55131, Dst Port: 443, Seq: 1, Ack: 1, Len: 1894
    Source Port: 55131
    Destination Port: 443
    [Stream index: 1]
    [Stream Packet Number: 4]
    [Conversation completeness: Incomplete, DATA (15)]
        ..0. .... = RST: Absent
        ...0 .... = FIN: Absent
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ··DASS]
    [TCP Segment Len: 1894]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 468398048
    [Next Sequence Number: 1895    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 2400450490
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 1028
    [Calculated window size: 263168]
    [Window size scaling factor: 256]
    Checksum: 0x2088 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 192.694400 milliseconds]
        [Time since previous frame in this TCP stream: 618.600 microseconds]
    [SEQ/ACK analysis]
        [iRTT: 192.075800 milliseconds]
        [Bytes in flight: 1894]
        [Bytes sent since last PSH flag: 1894]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (1894 bytes)
Transport Layer Security
    [Stream index: 0]
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 1889
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 1885
            Version: TLS 1.2 (0x0303)
                [Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [Severity level: Chat]
                    [Group: Deprecated]
            Random: baea10cb62fe88c424360a049ae1152c377f7a6f1dcee31defd273032e56ca17
            Session ID Length: 32
            Session ID: 14fe0ed93b39c185a9dfe9ed87687da9e05fd9486533163322f4676a98eeb8cf
            Cipher Suites Length: 32
            Cipher Suites (16 suites)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 1780
            Extension: server_name (len=16) name=example.com
                Type: server_name (0)
                Length: 16
                Server Name Indication extension
                    Server Name list length: 14
                    Server Name Type: host_name (0)
                    Server Name length: 11
                    Server Name: example.com
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: supported_groups (len=16)
                Type: supported_groups (10)
                Length: 16
                Supported Groups List Length: 14
                Supported Groups (7 groups)
                    Supported Group: X25519MLKEM768 (0x11ec)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: ffdhe2048 (0x0100)
                    Supported Group: ffdhe3072 (0x0101)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: session_ticket (len=0)
                Type: session_ticket (35)
                Length: 0
                Session Ticket: <MISSING>
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
                    ALPN string length: 2
                    ALPN Next Protocol: h2
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: delegated_credentials (len=10)
                Type: delegated_credentials (34)
                Length: 10
                Signature Hash Algorithms Length: 8
                Signature Hash Algorithms (4 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: key_share (len=1327) X25519MLKEM768, x25519, secp256r1
                Type: key_share (51)
                Length: 1327
                Key Share extension
                    Client Key Share Length: 1325
                    Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
                        Group: X25519MLKEM768 (4588)
                        Key Exchange Length: 1216
                        Key Exchange […]: f1a9369202492cb8134c10437901a80e122d5318b79b27baa7d83ffc0543c8a6012fdccd46858a3fda3120b39308b8841604a0a90a72945ab590dcc4f8f7c9176b6335056d4696504b52b6c0b92cfa0b331619695fa77b094b55b2f80891a45c4b5a33d79122f4e12c67d7b771f
                    Key Share Entry: Group: x25519, Key Exchange length: 32
                        Group: x25519 (29)
                        Key Exchange Length: 32
                        Key Exchange: 8e8108092a780cda7aa76a875a9b56094f03d1acc1866cf32ceb08d17d16c60c
                    Key Share Entry: Group: secp256r1, Key Exchange length: 65
                        Group: secp256r1 (23)
                        Key Exchange Length: 65
                        Key Exchange: 045376de4a03592749a1f852bf4b37381bb8c1eb08229a954cf5e29a4003f73211a1ac0f8643c48218a9f45ea5376771475cc6328d49144d8dd6406941138e7a34
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 5
                Supported Versions length: 4
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
            Extension: signature_algorithms (len=24)
                Type: signature_algorithms (13)
                Length: 24
                Signature Hash Algorithms Length: 22
                Signature Hash Algorithms (11 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: record_size_limit (len=2)
                Type: record_size_limit (28)
                Length: 2
                Record Size Limit: 16385
            Extension: compress_certificate (len=7)
                Type: compress_certificate (27)
                Length: 7
                Algorithms Length: 6
                Algorithm: zlib (1)
                Algorithm: brotli (2)
                Algorithm: zstd (3)
            Extension: encrypted_client_hello (len=281)
                Type: encrypted_client_hello (65037)
                Length: 281
                Client Hello type: Outer Client Hello (0)
                Cipher Suite: HKDF-SHA256/AES-128-GCM
                    KDF Id: HKDF-SHA256 (1)
                    AEAD Id: AES-128-GCM (1)
                Config Id: 212
                Enc length: 32
                Enc: a4539b02d1ce0a4dfff8e9bbff03a1387640e5a6044696293e6a21209c72ff31
                Payload length: 239
                Payload […]: d88c4933be6d9404884b32c0fd0a449a372c000430c8d9c182ef9325ff12d6d1b2dfc1190603f9b2919fc3fa85229c64ef0da665788bbc79bf1895feadcbf3fef090aa29bf74414b2a6a8fe85bf9b9d269ddd83f6c642f71a0d84277acf4f0ccd248d43c049154b37da3a27384eafd44
            [JA4: t13d1617h2_86a278354501_3cbfd9057e0d]
            [JA4_r: t13d1617h2_002f,0035,009c,009d,1301,1302,1303,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201]
            [JA3 Fullstring: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-18-51-43-13-45-28-27-65037,4588-29-23-24-25-256-257,0]
            [JA3: 6447ab086255d194909d4013b1a89e87]

2.3 Chrome

Frame 20: Packet, 1813 bytes on wire (14504 bits), 1813 bytes captured (14504 bits) on interface \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E})
        Interface name: \Device\NPF_{1B5B72E7-3008-426A-AAC9-250F52762B5E}
        Interface description: Ethernet0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  9, 2026 19:07:10.337597800 中国标准时间
    UTC Arrival Time: Jul  9, 2026 11:07:10.337597800 UTC
    Epoch Arrival Time: 1783595230.337597800
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 659.900 microseconds]
    [Time delta from previous displayed frame: 659.900 microseconds]
    [Time since reference or first frame: 2.718532000 seconds]
    Frame Number: 20
    Frame Length: 1813 bytes (14504 bits)
    Capture Length: 1813 bytes (14504 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: VMware_23:87:c9 (00:0c:29:23:87:c9), Dst: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
    Destination: XiaomiMobile_ea:55:c4 (50:4f:3b:ea:55:c4)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: VMware_23:87:c9 (00:0c:29:23:87:c9)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 0]
Internet Protocol Version 4, Src: 192.168.31.163, Dst: 172.66.147.243
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    [Total Length: 1799 bytes (reported as 0, presumed to be because of "TCP segmentation offload" (TSO))]
    Identification: 0x2bfb (11259)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.31.163
    Destination Address: 172.66.147.243
    [Stream index: 5]
Transmission Control Protocol, Src Port: 62580, Dst Port: 443, Seq: 1, Ack: 1, Len: 1759
    Source Port: 62580
    Destination Port: 443
    [Stream index: 6]
    [Stream Packet Number: 4]
    [Conversation completeness: Incomplete, DATA (15)]
        ..0. .... = RST: Absent
        ...0 .... = FIN: Absent
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ··DASS]
    [TCP Segment Len: 1759]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 603691538
    [Next Sequence Number: 1760    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 3355459472
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 1028
    [Calculated window size: 263168]
    [Window size scaling factor: 256]
    Checksum: 0x2088 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 229.210600 milliseconds]
        [Time since previous frame in this TCP stream: 659.900 microseconds]
    [SEQ/ACK analysis]
        [iRTT: 228.550700 milliseconds]
        [Bytes in flight: 1759]
        [Bytes sent since last PSH flag: 1759]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (1759 bytes)
Transport Layer Security
    [Stream index: 0]
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 1754
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 1750
            Version: TLS 1.2 (0x0303)
                [Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [Severity level: Chat]
                    [Group: Deprecated]
            Random: a5608c259e18a38e73c56a836ac1650d03a323ed98e25061f4cf2c4908866cca
            Session ID Length: 32
            Session ID: 4e370f778ac67779d5cb9703b35f95d603c885271c5e37181fc9583c5cfe2d78
            Cipher Suites Length: 32
            Cipher Suites (16 suites)
                Cipher Suite: Reserved (GREASE) (0xfafa)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 1645
            Extension: Reserved (GREASE) (len=0)
                Type: Reserved (GREASE) (56026)
                Length: 0
                Data: <MISSING>
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
                    ALPN string length: 2
                    ALPN Next Protocol: h2
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: server_name (len=16) name=example.com
                Type: server_name (0)
                Length: 16
                Server Name Indication extension
                    Server Name list length: 14
                    Server Name Type: host_name (0)
                    Server Name length: 11
                    Server Name: example.com
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: signature_algorithms (len=24)
                Type: signature_algorithms (13)
                Length: 24
                Signature Hash Algorithms Length: 22
                Signature Hash Algorithms (11 algorithms)
                    Signature Algorithm: mldsa44 (0x0904)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: mldsa65 (0x0905)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: mldsa87 (0x0906)
                        Signature Hash Algorithm Hash: Unknown (9)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
            Extension: compress_certificate (len=3)
                Type: compress_certificate (27)
                Length: 3
                Algorithms Length: 2
                Algorithm: brotli (2)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: supported_versions (len=7) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 7
                Supported Versions length: 6
                Supported Version: Reserved (GREASE) (0x5a5a)
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
            Extension: session_ticket (len=0)
                Type: session_ticket (35)
                Length: 0
                Session Ticket: <MISSING>
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: encrypted_client_hello (len=218)
                Type: encrypted_client_hello (65037)
                Length: 218
                Client Hello type: Outer Client Hello (0)
                Cipher Suite: HKDF-SHA256/AES-128-GCM
                    KDF Id: HKDF-SHA256 (1)
                    AEAD Id: AES-128-GCM (1)
                Config Id: 58
                Enc length: 32
                Enc: 84d00f53aa2ae3aef0c39fa230662993a476da1eb7715d7e5a760e05ed8acb1a
                Payload length: 176
                Payload […]: cb02c3d600a8f35d86059a55cd53f6f7416f11deae94ad3e08d037f777e8c17927d2d254d3c96006b1d577c0220c0edf1f5928093335d2ecfa1c40985bbcd374ffa86688d4bfc8f489d8e15b317cabbbe303fc2a7bd5fc99b922211c558d6599e9a9c29e08d964cdc2030b87a1990fb3
            Extension: key_share (len=1263) X25519MLKEM768, x25519
                Type: key_share (51)
                Length: 1263
                Key Share extension
                    Client Key Share Length: 1261
                    Key Share Entry: Group: Reserved (GREASE), Key Exchange length: 1
                        Group: Reserved (GREASE) (19018)
                        Key Exchange Length: 1
                        Key Exchange: 00
                    Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
                        Group: X25519MLKEM768 (4588)
                        Key Exchange Length: 1216
                        Key Exchange […]: bea9c7d4632d4e558f25dc9245b14f8a542b4ba2255f330fbb6b801cc12794a472f4f18ba271cab5745d9d25a89d05136a1135af2b6e13a6c688466d3c1c1eb7c741edb8b2f3c8530f41c08a6bac7d02ab81a114b85c4dd1329f1520bd6791b7d52636d9b624e8371c4f6900287
                    Key Share Entry: Group: x25519, Key Exchange length: 32
                        Group: x25519 (29)
                        Key Exchange Length: 32
                        Key Exchange: c752acf3afd8aefb4e532f1ba66fb344a40b4f807a44dabcba3d73617f9a2e66
            Extension: supported_groups (len=12)
                Type: supported_groups (10)
                Length: 12
                Supported Groups List Length: 10
                Supported Groups (5 groups)
                    Supported Group: Reserved (GREASE) (0x4a4a)
                    Supported Group: X25519MLKEM768 (0x11ec)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
            Extension: application_settings (len=5)
                Type: application_settings (17613)
                Length: 5
                ALPS Extension Length: 3
                Supported ALPN List
                    Supported ALPN Length: 2
                    Supported ALPN: h2
            Extension: Reserved (GREASE) (len=1)
                Type: Reserved (GREASE) (14906)
                Length: 1
                Data: 00
            [JA4: t13d1516h2_8daaf6152771_806a8c22fdea]
            [JA4_r: t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,44cd,fe0d,ff01_0904,0905,0906,0403,0804,0401,0503,0805,0501,0806,0601]
            [JA3 Fullstring: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23-16-65281-18-0-45-13-27-11-43-35-5-65037-51-10-17613,4588-29-23-24,0]
            [JA3: f6c9b33d2cc1d091ec4177e7bd702452]

3. 分析 Transport Layer Security

通过第 2 节的 Client Hello 完整数据包一点点来进行分析。

3.1 分析Layer以及Handshake

字段 requests Firefox Chrome
Version TLS 1.0 (0x0301) TLS 1.0 (0x0301) TLS 1.0 (0x0301)
Handshake Version TLS 1.2 (0x0303) TLS 1.2 (0x0303) TLS 1.2 (0x0303)
Random 2451d4…(32 字节) baea10…(32 字节) a5608c…(32 字节)
Session ID 32 字节 32 字节 32 字节
Compression null null null
Length 1524 1885 1750

3.2 Cipher Suites(加密套件信息)

# requests(17) Firefox(16) Chrome(16,含GREASE)
1 1302 AES256-GCM 1301 AES128-GCM GREASE(0xfafa)
2 1303 CHACHA20 1303 CHACHA20 1301 AES128-GCM
3 1301 AES128-GCM 1302 AES256-GCM 1302 AES256-GCM
4 c02c ECDHE-ECDSA-A256 c02b ECDHE-ECDSA-A128 1303 CHACHA20
5 c030 ECDHE-RSA-A256 c02f ECDHE-RSA-A128 c02b ECDHE-ECDSA-A128
6 c02b ECDHE-ECDSA-A128 cca9 ECDHE-ECDSA-CHACHA c02f ECDHE-RSA-A128
7 c02f ECDHE-RSA-A128 cca8 ECDHE-RSA-CHACHA c02c ECDHE-ECDSA-A256
8 cca9 ECDHE-ECDSA-CHACHA c02c ECDHE-ECDSA-A256 c030 ECDHE-RSA-A256
9 cca8 ECDHE-RSA-CHACHA c030 ECDHE-RSA-A256 cca9 ECDHE-ECDSA-CHACHA
10 c024 ECDHE-ECDSA-A256-CBC384 c00a ECDHE-ECDSA-A256-CBC cca8 ECDHE-RSA-CHACHA
11 c028 ECDHE-RSA-A256-CBC384 c013 ECDHE-RSA-A128-CBC c013 ECDHE-RSA-A128-CBC
12 c023 ECDHE-ECDSA-A128-CBC256 c014 ECDHE-RSA-A256-CBC c014 ECDHE-RSA-A256-CBC
13 c027 ECDHE-RSA-A128-CBC256 009c RSA-A128-GCM 009c RSA-A128-GCM
14 009f DHE-RSA-A256-GCM 009d RSA-A256-GCM 009d RSA-A256-GCM
15 009e DHE-RSA-A128-GCM 002f RSA-A128-CBC 002f RSA-A128-CBC
16 006b DHE-RSA-A256-CBC 0035 RSA-A256-CBC 0035 RSA-A256-CBC
17 0067 DHE-RSA-A128-CBC

3.3 Extensions(扩展插件)

顺序 requests(12,固定序) Firefox(17,固定序※) Chrome(18,每次重组)
1 renegotiation_info(65281) server_name(0) GREASE(56026)
2 server_name(0) extended_master_secret(23) extended_master_secret(23)
3 ec_point_formats(11) renegotiation_info(65281) ALPN(16)
4 supported_groups(10) supported_groups(10) renegotiation_info(65281)
5 ALPN(16) ec_point_formats(11) signed_certificate_timestamp(18)
6 encrypt_then_mac(22) session_ticket(35) server_name(0)
7 extended_master_secret(23) ALPN(16) psk_key_exchange_modes(45)
8 post_handshake_auth(49) status_request(5) signature_algorithms(13)
9 signature_algorithms(13) delegated_credentials(34) compress_certificate(27)
10 supported_versions(43) signed_certificate_timestamp(18) ec_point_formats(11)
11 psk_key_exchange_modes(45) key_share(51) supported_versions(43)
12 key_share(51) supported_versions(43) session_ticket(35)
13 signature_algorithms(13) status_request(5)
14 psk_key_exchange_modes(45) encrypted_client_hello(65037)
15 record_size_limit(28) key_share(51)
16 compress_certificate(27) supported_groups(10)
17 encrypted_client_hello(65037) application_settings(17613)
18 GREASE(14906)

※ Firefox 的扩展顺序经 2 次独立抓包验证一致(两次 Random 不同、但 JA3 相同——JA3 不排序扩展,故 JA3 相同即证明顺序未变)。注意 NSS 本身带有扩展乱序机制(见 5.5 节的 enableChXtnPermutation),未来版本或开启该 pref 后顺序可能变化,届时以实际抓包为准。Chrome 则是每次请求都重排(所以其 JA3 每次都变,需用会排序的 JA4 才稳定)。

3.4 Supported Groups

requests(8) Firefox(7) Chrome(5)
X25519MLKEM768 X25519MLKEM768 GREASE(0x4a4a)
x25519 x25519 X25519MLKEM768
secp256r1 secp256r1 x25519
x448 secp384r1 secp256r1
secp384r1 secp521r1 secp384r1
secp521r1 ffdhe2048
ffdhe2048 ffdhe3072
ffdhe3072

3.5 Signature Hash Algorithms

requests(26) Firefox(11) Chrome(11)
-mldsa 44/65/87 含有 44/65/87
ecdsa 256/384/512 含有 含有 256/384(无521)
ed25519 / ed448 含有
brainpool tls13 ×3 含有
rsa_pss_pss ×3 含有
rsa_pss_rsae ×3 含有 含有 含有
rsa_pkcs1 ×3 含有 含有 含有
sha1 (ecdsa/rsa) 含有(sha224系列) 含有
DSA sha224/256/384/512 含有

3.6 ALPN / 其他关键扩展取值

扩展 requests Firefox Chrome
ALPN http/1.1 h2, http/1.1 h2, http/1.1
ec_point_formats uncompressed +2 种 仅 uncompressed 仅 uncompressed
supported_versions 1.3, 1.2 1.3, 1.2 GREASE, 1.3, 1.2
psk_key_exchange_modes psk_dhe_ke psk_dhe_ke psk_dhe_ke
encrypt_then_mac 包含
post_handshake_auth 包含
session_ticket 包含 包含
status_request(OCSP) 包含 包含
signed_certificate_timestamp 包含 包含
delegated_credentials 包含
record_size_limit 包含(16385)
compress_certificate zlib+brotli+zstd 仅 brotli
encrypted_client_hello (ECH) 包含 包含
application_settings (ALPS) 包含
GREASE 包含

3.7 key_share

requests Firefox Chrome
X25519MLKEM768(1216B) X25519MLKEM768(1216B) GREASE(1B)
x25519(32B) x25519(32B) X25519MLKEM768(1216B)
secp256r1(65B) x25519(32B)

3.8 指纹

requests Firefox Chrome
JA3 7291ea5e449f2c7b17582541703e549d 6447ab086255d194909d4013b1a89e87 f6c9b33d2cc1d091ec4177e7bd702452
JA4 t13d1712h1_ab0a1bf427ad_882d495ac381 t13d1617h2_86a278354501_3cbfd9057e0d t13d1516h2_8daaf6152771_806a8c22fdea

JA3 与 JA4 的关键区别:JA3 保留扩展的原始顺序,JA4 会先把扩展排序再计算。

这直接影响到对 Chrome 的识别:Chrome 每次请求都会重排扩展顺序(还带随机 GREASE),所以它的 JA3 每次都变;而 JA4 因为排了序,对 Chrome 依然稳定。反过来,Firefox 扩展顺序固定, JA3 完全相同(见 3.3 节注※)。

破绽 requests 浏览器(Chrome/Firefox)
encrypted_client_hello
ALPN http/1.1 h2, http/1.1
application_settings Chrome 特有
签名算法 26 个,含 mldsa/ed25519/brainpool/DSA/SHA224 一大堆 精简 11 个
x448 群
独有扩展 encrypt_then_mac、post_handshake_auth

通过github的源码分析,requests 的请求最终是通过 openssl 来握手、发送的(调用链:requests → urllib3 → Python 标准库 ssl → OpenSSL)。所以上面像 encrypted_client_hello、ALPN(h2)、application_settings 这些,requests(urllib3)默认没有去启用它们;再加上套件/扩展/签名算法用的都是 OpenSSL 的出厂默认排列,所以 ClientHello 数据包一眼就能看出不是浏览器的发包。用curl_cffi这类开源的tls库,可以避免这些问题,如果开源的被检测了,可以看最后一节,直接动手封装专属自己的库。

5. 打造自己的请求库

在前面几个环节分析了requests与浏览器之前的请求差别。而且在第三节分析中,chrome的扩展插件的顺序并不是固定的,所以本次根据firefox来进行封装。

5.1 下载firefox源码

firefox源码地址,我使用的是 firefox151的版本,下载链接:https://ftp.mozilla.org/pub/firefox/releases/151.0.4/source/firefox-151.0.4.source.tar.xz

5.2 定位源码发包位置

image-20260709203446131
image-20260709203446131

netwerk里是firefox的请求地方

图片握手
图片握手

security/nss里是握手相关指纹核心。

5.3 指纹

指纹要素 文件 : 行 关键符号 说明
ClientHello 主构造 security/nss/lib/ssl/ssl3con.c:5505 ssl3_SendClientHello() 组装 legacy_version / random / session_id / cipher / compression / 扩展
Cipher suites 顺序(JA3 密码段) security/nss/lib/ssl/sslenum.c:57 SSL_ImplementedCiphers[] NSS 全集,发送序 = 数组序;Firefox 实际发子集(prefs 过滤)
↳ 一致性校验表 ssl3con.c:213 cipherSuites[] 必须与上表同序(源码 assert)
扩展列表 + 顺序(JA4) security/nss/lib/ssl/ssl3ext.c:128 clientHelloSendersTLS[] ClientHello 扩展发送顺序
↳ 扩展构造入口 ssl3ext.c:779 ssl_ConstructExtensions() 遍历 senders 表逐个 append
↳ 扩展乱序机制 ssl3ext.c:793 / :1159 enableChXtnPermutation / tls_ClientHelloExtensionPermutationSetup()
TLS1.2 扩展编码 security/nss/lib/ssl/ssl3exthandle.c ssl3_ClientSend*Xtn SNI/ALPN/EMS/renego/point_formats/status_request…
TLS1.3 扩展编码 security/nss/lib/ssl/tls13exthandle.c tls13_ClientSend*Xtn key_share/supported_versions/PSK/psk_modes/cookie/early_data
supported_groups(曲线) security/nss/lib/ssl/sslgrp.c ssl_SendSupportedGroupsXtn
key_share 曲线 security/manager/ssl/nsNSSIOLayer.cpp:1600
signature_algorithms security/nss/lib/ssl/tls13signature.c + ssl3con.c ssl3_SendSigAlgsXtn sigalg 列表
ECH(encrypted_client_hello) security/nss/lib/ssl/tls13ech.c / tls13echv.c tls13_ClientHandleEchXtn ECH 握手
TLS1.3 握手状态机 security/nss/lib/ssl/tls13con.c ServerHello 后的 1.3 流程

5.4 Cipher suites

NSS SSL_ImplementedCiphers[] 全集(发送即此序)。TLS 1.3 三个恒在最前:

Cipher Hex
1 TLS_AES_128_GCM_SHA256 0x1301
2 TLS_CHACHA20_POLY1305_SHA256 0x1303
3 TLS_AES_256_GCM_SHA384 0x1302
4 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b
5 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f
6 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xcca9
7 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 0xcca8
8 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c
9 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030
10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc00a
11 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xc009
12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013
13 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014
(后续 DHE / ECDH / RSA / 3DES / RC4 / NULL 等大量老套件)
TLS_RSA_WITH_AES_128_GCM_SHA256 / …256_GCM / 128_CBC_SHA / 256_CBC_SHA … 0x009c 0x009d 0x002f 0x0035

5.5 扩展顺序

扩展 扩展
1 tls13_grease(空 GREASE) 12 key_share
2 server_name(SNI) 13 early_data
3 extended_master_secret 14 supported_versions
4 renegotiation_info 15 signature_algorithms
5 supported_groups 16 cookie
6 ec_point_formats 17 psk_key_exchange_modes
7 session_ticket 18 post_handshake_auth
8 application_layer_protocol(ALPN) 19 record_size_limit
9 use_srtp 20 certificate_compression
10 delegated_credentials 21 tls13_grease(1 字节 GREASE)
11 signed_certificate_timestamp(SCT) 22 pre_shared_key(必须最后)

5.6 总结

现在有AI的话,直接让AI阅读源码动手封装。我直接使用的是 Rust + PyO3封装好NSS和请求顺序、加密套件等相关指纹信息,然后通过python进行调用即可,目前成功绕过akamai的校验,稳定过。提示词如下:

/goal 根据firefox的源码阅读请求的握手和发送请求的地方,来进行模拟浏览器发包,使用Rust + PyO3来进行封装给Python调用,Api参考requests的风格来进行调用,在请求时,不断的比对akamai指纹和ja3/4的指纹信息,与浏览器同源,直到可以进行生产使用。

本文由 小卢 投稿

长期征稿

稿费 1000-2000 元 / 篇,长期有效 。征集爬虫逆向、数据行业、爬虫副业、合规避坑类原创首发文章。详情见:

1000 元一篇,把你的逆向笔记变现

猿人学的业务:
1、猿人学爬虫逆向课2、海外代理IP(不限量、动态/静态住宅IP)3、youtube 等音视频下载回流4、大模型预训练数据

5、SERP (google/bing等搜索结果)

6、海外电商/社媒数据

若有朋友需要可以加我微信 dismissmewp,谢谢。

 

猿人学banner宣传图

我的公众号:猿人学 Python 上会分享更多心得体会,敬请关注。

***版权申明:若没有特殊说明,文章皆是猿人学 yuanrenxue.con 原创,没有猿人学授权,请勿以任何形式转载。***

说点什么吧...