Hello , When I use JA3(S) to parse MetaSploit-Framework(6.0.37-dev) - windows/x64/meterpreter/reverse_https Payload, it does not work.

I don't understand the reason for this, could you give me some suggestions? Thank you very much～

msf_https.pcap.zip

In its current form, the JA3 code will not generate fingerprints for IPv6 TLS handshakes. For example, if you run the following:
ja3 -a /path/to/pcap/containing/ipv6.pcap
Then it will just output [] indicating that no fingerprints were found.

The problem is because of one of the packet checks that is performed inside the process_pcap method:

if not isinstance(eth.data, dpkt.ip.IP):
    # We want an IP packet
    continue

This check will only allow IPv4 packets through.

I was able to get around this by changing the check to be:

if not (isinstance(eth.data, dpkt.ip.IP) or isinstance(eth.data, dpkt.ip6.IP6)):
    # We want an IP packet
    continue

After making this change, I was able to get fingerprints from PCAP files containing IPv6 packets.

The issue appears to be present in all of the following files:

• ja3.py
• ja3s.py
• ja3/ja3.py

it is really cool. Just a question: why md5 and not a faster hash like SipHash or BLAKE2?

We from Open Systems just open sourced a Go Implementation of the JA3 algorithm over at: https://github.com/open-ch/ja3

We were wondering if you would be willing to add our implementation to your README.

Cheers

Installed plugin by the instructions, when running scripts -c in zeekctl I do get

{"name":"  /opt/zeek/share/zeek/site/ja3/__load__.zeek"}
{"name":"    /opt/zeek/share/zeek/site/ja3/ja3.zeek"}
{"name":"    /opt/zeek/share/zeek/site/ja3/intel_ja3.zeek"}
{"name":"    /opt/zeek/share/zeek/site/ja3/ja3s.zeek"}

but don't have anything in ssl.log and can't figure out where to look for problems (if they exists)

Bro Version: 2.5.1

I receive the following error when checking scripts:

[BroControl] > deploy checking configurations ... bro scripts failed. error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 66: orphaned field "client_version" in record coercion ((coerce (coerce [] to JA3::TLSFPStorage) to TLSFP::TLSFPStorage)) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 83: orphaned field "client_version" in record coercion ((coerce (coerce [] to JA3::TLSFPStorage) to TLSFP::TLSFPStorage)) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 102: orphaned field "client_version" in record coercion ((coerce (coerce [] to JA3::TLSFPStorage) to TLSFP::TLSFPStorage)) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 121: orphaned field "client_version" in record coercion ((coerce (coerce [] to JA3::TLSFPStorage) to TLSFP::TLSFPStorage)) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 122: no such field in record (JA3::c$tlsfp$client_version) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 127: no such field in record (JA3::c$tlsfp$client_ciphers) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 128: no such field in record (JA3::c$tlsfp$client_ciphers) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 131: no such field in record (JA3::c$tlsfp$client_ciphers) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 135: no such field in record (JA3::c$tlsfp$client_version) error in /opt/bro/share/bro/site/./ja3/./ja3.bro, line 135: no such field in record (JA3::c$tlsfp$client_ciphers)

Not sure if i am missing a step. I tried loading the scripts from two different locations custom and site.

Hi! I'm not entirely familiar with JA3 but basically I have set up and configured Suricata with JA3 enabled etc but once I run Suricata, I seem to be getting the wrong hashes. I know this because I copy and paste them into https://ja3er.com/form and the hashes arent recognised, I'm testing it on the google chrome for reference. Any help would be greatly appreciated. I'm kinda new to IDS and JA3 so bare with me please!

I got this error while I was running js3 on pcap file :-

Traceback (most recent call last):
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 301, in unpack
    self.ciphersuites = [
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 302, in <listcomp>
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
KeyError: 64250

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "F:\Program Files\Python39\Scripts\ja3-script.py", line 33, in <module>
    sys.exit(load_entry_point('pyja3==1.1.0', 'console_scripts', 'ja3')())
  File "F:\Program Files\Python39\lib\site-packages\ja3\ja3.py", line 245, in main
    output = process_pcap(capture, any_port=args.any_port)
  File "F:\Program Files\Python39\lib\site-packages\ja3\ja3.py", line 194, in process_pcap
    handshake = dpkt.ssl.TLSHandshake(record.data)
  File "F:\Program Files\Python39\lib\site-packages\dpkt\dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 421, in unpack
    self.data = embedded_type[1](self.data)
  File "F:\Program Files\Python39\lib\site-packages\dpkt\dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 304, in unpack
    raise SSL3Exception('Unknown or invalid cipher suite type %x' % int(e.args[0]))
dpkt.ssl.SSL3Exception: Unknown or invalid cipher suite type fafa

Upgraded our bro instance to the latest LTS version of Zeek (3.0.13 at time of writing). We had the older version of ja3 for bro so did a one-to-one replacement of the files to be placed in the /opt/zeek/share/zeek/site/ja3 directory. We tried both the original and the installation instruction's @ load line in local.zeek (@ load ja3/ which worked for the bro version, and @ load ./ja3 per the zeek instructions). In both cases, the file permissions are exactly the same.

The error message received when we run broctl deploy is:
"fatal error in /opt/zeek/share/zeek/site/local.zeek, line 221: can't find ./ja3"

The path changes to what we originally used with the bro version of ja3/.

Also for sanity made sure there were no extraneous white spaces or anything. When I moved the older bro version of ja3 back in place, deploy was successful and the scripts worked as expected adding the fields we need.

$ja3 -j cs_client_online.pcap
$[]

cs_client_online.zip

Not sure if loopback pcaps are even a concern but client and server could be on same system over loopback and the loopback header seems to cause the data to be incorrectly parsed using your dpkt logic because of the lack of an Ethernet header.

python3 ja3s.py -j trace1.pcap
[]

Hey guys,

Thanks for providing this - it looks awesome and I can really see the usefulness of it in my own deployment.

One quick question - do you have any plans to integrate it with the Bro Package Manager system (http://bro-package-manager.readthedocs.io/en/stable/index.html)? It simplifies deployment and maintenance on the hosts quite a bit.

Thanks in advance, Mike

https://chromestatus.com/feature/5124606246518784 discusses a new change, designed to prevent ossification, in which client hellos will be randomized, subject to the limits in the RFC.

It was originally scheduled to go into Chrome 110, but was actually merged in Chrome 109.

Other fingerprinting implementations such as https://tlsfingerprint.io have started to sort these headers to restore some consistency; see https://tlsfingerprint.io/norm_fp .

Does JA3 plan to address this?

I've been working on a lookup table for ja3.bro that uses the input framework to ingest a file with ja3 hashes and their associated user-agents and add that meta-data to record. Wondering if you would be interested in adding that feature upstream. Below is my Github Repo.

https://github.com/bryant-treacle/SSL_Traffic_Hunting

Let me know what you think.

Was this site completely turned off or is it a temporary outage?

long_description=read('README.md'),

In the python folder it's a different extension.

Topic :)

warning in /opt/zeek/share/zeek/site/packages/./ja3/./ja3.bro, line 59: deprecated (bro_init): Remove in v3.1: use zeek_init
warning in /opt/zeek/share/zeek/site/packages/./ja3/./ja3s.bro, line 41: deprecated (bro_init): Remove in v3.1: use zeek_init

Hi there,

Thanks a lot for sharing JA3, it is a great idea!

For your information, I have integrated JA3 support, based on the Bro scripts from this repository, to the passiverecon Bro script integrated to (and used by) IVRE, an open-source passive & active network recon framework.

I have tried to prevent any incompatibility with your scripts (or other existing scripts) by using ivre specific prefix for the records added to existing logs and structures (to prevent issues similar to #13).

I have also simplified & improved the code, so you may want to reuse some of the changes I made.

The integration has been done in ivre/ivre#624. The script, based on your code, is released under the same license as IVRE (GPLv3+), while keeping the Salesforce copyright notice (Copyright 2017 salesforce.com, inc.) as it is my understanding that this is permitted by the license used for the original scripts. Please let me know if you disagree or if it is a problem for you.

Thanks again!

https://github.com/salesforce/ja3/blob/master/README.md
"This repo includes JA3 and JA3S scripts for Zeek..."
https://www.zeekurity.org https://zeek.org

like fingerprintls, can you kindly add a parameter to ja3 tool to accept and based its sniffing and computation on a network interface?

I have this weird issue in Zeek where only the ja3s information is being added to my ssl.log file, not sign of any ja3 information...How should I start troubleshooting this ?

I installed using zkg an have the following in my local.zeek file, I had no errors when starting on installing anything (Zeek included):

@load packages

Zeek is installed on my proxy server (running Squid) so it should see all SSL traffic going back and forth.

I am trying to understand how the SSL extension length and extensions are set in the server hello packet but can't find a good resource for it. Any help is appreciated.

Hello! I created a Rust implementation of your amazing work here: https://github.com/jabedude/ja3-rs.

Is there any way you could add that to your README? There is some network analysis work being done with rust in the Suricata project that might want to use it !

Gentlemen:

I would appreciate if someone could answer the title question, i.e. why is the output of ja3s.py on the pcap file that contains a TLS handshake with Server Hello that has several extensions , including "ec_point_formats" extension (extension id: 0x0b or 11), does not contain the aforementioned extension in its output:

~/GITreps/ja3/python/ja3s.py ~/Test/chrome.pcap
[10.5.20.22:54729] JA3: 769,49161,0-65281 --> 5dd9d7e21843ad5870da6c2485c21e81

In this case, I would expect the JA3S to look like:

JA3: 769,49161,0-65281-11 --> 8685e43ade3e6ec8993efb5d149fb4bc

For comparison, the ja3.py output does contain this extension, when Client Hello has it:

~/GITreps/ja3/python/ja3.py ~/Test/chrome.pcap
[81.218.16.216:443] JA3: 769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,65281-0-10-11,23-24,0 --> 1d095e68489d3c535297cd8dffb06cb9

I can provide the referenced PCAP file, if need be.

So you arrived at the name JA3. Honestly, I'm not impressed guys. I don't think this name is ambiguous enough. I think we can do better.

I propose that we change the name from JA3 to XZ8. I think if Salesforce wants to stay a leader in CRM, you need to think even harder about using acronyms and names that are even more difficult to recognise. I mean what is the point otherwise? If we are going to go with JA3, why don't we go all in?

Look. I'm sorry John Althouse ,Jeff Atkinson, and Josh Atkins but this name just doesn't cut it. If you want people to adopt this, you have to make the name even more mysterious, more vague and more ambiguous. If I only need to dig through 15 pages in my favourite search engine, to figure out why you ran with this awful name, then clearly someone wasn't trying hard enough.

No really, in all seriousness. What compels 3 people to name something so badly (even if it is after themselves) when it could be revolutionary?
Can you imagine if Linus Torvalds had decided to name his OS "LT1"?

If you truly care about adoption and visibility. Rename the project. Especially as it's now evolved past the neckbeard-joke-phase.

Throughout ja3.bro, single equals (assignment) is used for comparison in situations like:

if ( is_orig = T ) {

where I believe that == (equality) is the intended operator. I think this has been working because is_orig is always true (see issue #19 ).

A next statement in the ja3.zeek errors out in Zeek v5.2 and above. It should be a return statement.

From https://github.com/zeek/zeek/blob/master/NEWS:

• Usage of break and next statements is now validated. It was previously
  possible to place these outside of for, while or switch
  statements without any error indication.

Output when running the package errors out:
error in ./ja3/zeek/./ja3.zeek, line 69: next statement used outside of for or while statement

Offending code:
event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
{
if ( ! c?$tlsfp )
c$tlsfp=TLSFPStorage();
if ( is_orig == T ) {
if ( code in grease ) {
next;
}
...

In ja3.py, line 256:

map(remove_items,output)

It does not actually remove items, because map returns an iterator that is not consumed.
Possible solution:
list(map(remove_items,output))

Ja3 always producing the same value. I have 2 different pcap. they have different random bytes value.

https://ibb.co/D7gp7Dt
https://ibb.co/qx3vbc0

But it creating the same JA3 value.

"ja3": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0",
        "ja3_digest": "4d7a28d6f2263ed61de88ca66eb011e3"

When running the ja3.bro plugin, several syntax warnings are issued:

internal warning in /opt/bro/share/bro/site/./ja3/./intel_ja3.bro, line 1: Discarded extraneous Broxygen comment: LOG FIELD VALUES ##
internal warning in /opt/bro/share/bro/site/./ja3/./intel_ja3.bro, line 1: Discarded extraneous Broxygen comment: FOR DEBUGGING ##

PR for quick and easy fix coming in a minutes

Should TLSVersion for TLS1.3 be 771 or 772?

Per RFC 8446 :

In previous versions of TLS, this field was used for
version negotiation and represented the highest version number
supported by the client. Experience has shown that many servers
do not properly implement version negotiation, leading to "version
intolerance" in which the server rejects an otherwise acceptable
ClientHello with a version number higher than it supports. In
TLS 1.3, the client indicates its version preferences in the
"supported_versions" extension (Section 4.2.1) and the
legacy_version field MUST be set to 0x0303, which is the version
number for TLS 1.2. TLS 1.3 ClientHellos are identified as having
a legacy_version of 0x0303 and a supported_versions extension
present with 0x0304 as the highest version indicated therein.

I'm of the opinion that TLSVersion should be correctly set to the actual version negotiated as JA3 spec doesn't dictate where the version is sourced: the legacy version or the version from "supported_versions" extension.

I've noticed that Wireshark will report the JA3 String for TLS1.3 with 771. However, Browserleaks will report 772.

Link is currently set to:

https://github.com/timetology/nw/tree/master/parsers/ssl_ja3

This should be updated to:

https://github.com/timetology/NetWitness/tree/master/Network/Parsers/ssl_ja3

I have the folliowing ja3/ja3 digests for a pcap I analyzed:

    "ja3": "771,4867-4865-4866-49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-51-45-43-10-21,29-23-24-25,0",
    "ja3_digest": "7a7a639628f0fe5c7e057628a5bbec5a",

Now using fingerprintls tool for the same pcap, i have this data:

'record_tls_version': '0x0301',
'tls_version': '0x0303',
'ciphersuite_length': '0x0034',
'ciphersuite': '0x1303 0x1301 0x1302 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0xCCA9 0xC030 0xC02F 0xC028 0xC027 0xC014 0xC013 0xCCA8 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC008 0xC012 0x000A',
'compression_length': '1',
'compression': '0x00',
'extensions': '0xFF01 0x0000 0x0017 0x000D 0x0005 0x3374 0x0012 0x0010 0x000B 0x0033 0x002D 0x002B 0x000A ',
'e_curves': '0x001D 0x0017 0x0018 0x0019 ',
'sig_alg': '0x0403 0x0804 0x0401 0x0503 0x0203 0x0805 0x0805 0x0501 0x0806 0x0601 0x0201 ',
'ec_point_fmt': '0x00',

For the extensions part of ja3:

65281-0-23-13-5-13172-18-16-11-51-45-43-10-21

I noticed that there's an additional 21 value that was added because looking at the fingerprintls output for extensions, the final element is 0x000A:

'extensions': '0xFF01 0x0000 0x0017 0x000D 0x0005 0x3374 0x0012 0x0010 0x000B 0x0033 0x002D 0x002B 0x000A ',

Now i understand that this may have something to do with GREASE. My question is should I just add 21 to the end of the extensions ALWAYS, when there is a value in the extensions (or ciphers) that is in the GREASE table? Thanks

hi there , i'd like to know if there is any tools to create ja3 finger prints .

all of the tools i've seen till now , are tools that are extracting ja3 finger prints and their md5 hash.

however i am looking for a tool that create "generate" those ja3 finger prints .

thanks

1. Type: application_settings (17513) will be ignored?
   Why? I didn't see the place mentioned

2. ja3 will change by session_ticket
   In chrome ,The ja3 of the first request and subsequent requests are different.
   The reason is that there is no session ticket for the first time.
   Most of the time, ja3 seen in a carries a session ticket.
   However, curl does not carry session tickets

Updating dpkt to 1.9.5 will cause the password to be changed from a number to the corresponding string, and the fingerprint result will be changed. When GARSE appears, the script dpkt will report an error.
When dpkt is 1.9.4,look like this:

[root@localhost python]# python3 ja3.py /home/pcap/ja3_test.pcap  
[ip:port] JA3: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0 --> b32309a26951912be7dba376398abc3b
[root@localhost python]# python3 ja3s.py /home/pcap/ja3_test.pcap 
[ip:port] JA3S: 771,49199,35-16 --> 4504e8d0495298feb931ec7e09f94bcc

When dpkt is 1.9.5,look like this:

[root@localhost python]# python3 ja3.py /home/pcap/ja3_test.pcap 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 302, in unpack
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 302, in <listcomp>
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
KeyError: 27242

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "ja3.py", line 284, in <module>
    main()
  File "ja3.py", line 264, in main
    output = process_pcap(capture, any_port=args.any_port)
  File "ja3.py", line 203, in process_pcap
    handshake = dpkt.ssl.TLSHandshake(record.data)
  File "/usr/local/lib/python3.6/site-packages/dpkt/dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 421, in unpack
    self.data = embedded_type[1](self.data)
  File "/usr/local/lib/python3.6/site-packages/dpkt/dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "/usr/local/lib/python3.6/site-packages/dpkt/ssl.py", line 304, in unpack
    raise SSL3Exception('Unknown or invalid cipher suite type %x' % int(e.args[0]))
dpkt.ssl.SSL3Exception: Unknown or invalid cipher suite type 6a6a

[root@localhost python]# python3 ja3s.py /home/pcap/ja3s_test.pcap 
[ip:port]  JA3S: 771,CipherSuite(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),35-16 --> 8ce7e2735b56d547ea7168506ac74566

When we deploy this plugin on Zeek 5.2, we receive the following error:

checking configurations ...
logger-1 scripts failed.
error in /opt/zeek/share/zeek/site/packages/./ja3/./ja3.zeek, line 69: next statement used outside of for or while statement

manager scripts failed.
error in /opt/zeek/share/zeek/site/packages/./ja3/./ja3.zeek, line 69: next statement used outside of for or while statement

proxy-1 scripts failed.
error in /opt/zeek/share/zeek/site/packages/./ja3/./ja3.zeek, line 69: next statement used outside of for or while statement

zeek01-1 scripts failed.
error in /opt/zeek/share/zeek/site/packages/./ja3/./ja3.zeek, line 69: next statement used outside of for or while statement

Do you have any suggestions or workarounds?

I pulled down the JA3S Bro script and installed it on a 2.5.3 Bro installation. JA3S fingerprints are being generated, but they never include extensions. For example: JA3S: 7770094a92b1cbfa5a6de2017cfb682a Fingerprint String: 771,49200,

I added some debug print statements to ssl_extensions() and observed that is_orig is never false (F), so the logic never fires. In ja3s.py (pull request forthcoming) and Wireshark, I can see extensions in the Sever Hellos like status_request, renegotiation_info, etc. I'm not sure if this is an issue specific to my build of Bro or if others have been able to replicate it.

i have head to https://ja3er.com/ , after some of time , i get another ja3 hash, that's change after a while , i have read this draft document.

my current browser version:
chrome version 74.0.3729.157（64 位）
mac osx 10.11.6

STFU - SSL / TLS Fingerprinting Uniqueness
STUF - SSL / TLS Unique Fingerprinting
STF - SSL / TLS Fingerprinting

seriously!

When a piece of malware issues a SSLv2 client hello, ja3.py misses it. Can ja3 apply to SSLv2 hellos? I know there are no extensions, but that could just be blank.

https://github.com/Macr0phag3/ja3box

solved #29

Any chance it will be repaired?

I am interested in getting an SNI from the Client Hello handshake processed by JA3. However, I don't have the low level background required for this, so I am finding it hard to do.

If anyone could provide me with some pointers, on what needs to be done in order to extract SNI. That help would be very much appreciated.

Thank you

I recently captured packets from my Android device of a particular application. The packets are in pcap format. But when I try to pass them into ja3 command, no output is being generated. All I get is an empty string.

However, output is generated when I pass a different pcap file which was generated on Windows.

Here is the link for both the pcap : -
https://drive.google.com/drive/folders/1khS7Bs4k9-CnvGWOiFcOhohDQ3mbrSaR?usp=sharing

Can anyone help me with this issue or maybe take a look over my Android Pcap file ?

Would be great if you could provide some sample pcaps and the expected JA3 so we can verify our implementations. Definitely hit some trickyness when the tls header and hello headers had different values and which to use

Hi I'm just wondering if this can be integrated with python requests library? What will the steps look like? I'm interested in running tests mimicking a web browser on a site that uses cloudfare. I want to use a library like requests or urllib, not browser emulation. My requests arent going through because of TLS fingerprinting since the requests library cant do this.

Normally I would request a site like this:

import requests

headers = {
    'authority': 'vplates.com.au',
    'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
    'upgrade-insecure-requests': '1',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36',
    'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'sec-fetch-site': 'none',
    'sec-fetch-mode': 'navigate',
    'sec-fetch-user': '?1',
    'sec-fetch-dest': 'document',
    'accept-language': 'en-US,en;q=0.9',
}

response = requests.get('https://example.com/', headers=headers)

But the site site uses cloudflare so I get no response. Anyway to use ja3 to get around this?

When a SSL client hello is resent, the current implementation adds the strings onto the already existing string, and then recomputes the MD5 of this bloated string and this is what gets logged.