Huginn Net fingerprints TCP, HTTP, and TLS traffic passively. No active probes, no tshark, no wireshark. Pure Rust, built entirely on open-source specifications: p0f for TCP and FoxIO's JA4 for TLS. Validated against the original p0f accuracy with ~3.1ms end-to-end per packet.

What is Passive Traffic Fingerprinting?

Passive fingerprinting infers information about remote hosts without sending any probes. By analyzing TCP/IP packets and TLS handshakes, Huginn Net identifies:

• Operating Systems - Using p0f-inspired TCP fingerprinting to identify OS type, version, and network stack
• Applications & Browsers - Using HTTP headers and JA4 TLS client fingerprinting for precise application identification
• Network Infrastructure - Detecting intermediary devices, proxies, and load balancers
• Client Capabilities - TLS versions, cipher suites, and supported extensions

Network Stack analysis supported by Huginn Net (OSI Model)

Layer	Protocol / Feature	Huginn Net Analysis
7	TLS	JA4 (FoxIO-style) + stable signature
7	HTTP	HTTP/1 & HTTP/2 - Headers, User-Agent, Lang
4	TCP	OS Fingerprinting (p0f-style)

📚 Huginn Net Crates

Crate	Description	Documentation
huginn-net	TCP-HTTP-TLS Analysis - Complete multi-protocol network fingerprinting	📖 Usage Guide
huginn-net-tcp	TCP Analysis - OS fingerprinting, MTU detection, uptime estimation	📖 TCP Guide
huginn-net-http	HTTP Analysis - Browser detection, HTTP/1.x & HTTP/2 fingerprinting	📖 HTTP Guide
huginn-net-tls	TLS Client Analysis - JA4 fingerprinting, TLS version detection	📖 TLS Guide

Which library should I use?

• Multi protocol scanning: Use huginn-net for complete network analysis
• TCP only: Use huginn-net-tcp for OS detection and TCP analysis
• HTTP only: Use huginn-net-http for browser and web server detection
• TLS only: Use huginn-net-tls for JA4 fingerprinting and TLS analysis
• Advanced: Use huginn-net-db directly for custom signature parsing

🚀 Quick Start

Note: Live packet capture requires libpcap (usually pre-installed on Linux/macOS).

Choose Your Approach

For multi-protocol analysis:

[dependencies]
huginn-net = "1.7.5"  # Complete analysis suite

For specific protocols:

[dependencies]
huginn-net-tcp = "1.7.5"   # TCP/OS fingerprinting only
huginn-net-http = "1.7.5"  # HTTP analysis only
huginn-net-tls = "1.7.5"   # TLS/JA4 analysis only

Usage & Examples

For detailed usage examples, installation guides, and complete code samples:

📖 Complete Usage Guide - huginn-net module

📚 Examples & Tutorials - Working examples with:

• Live network capture - Real-time analysis
• PCAP file analysis - Offline traffic analysis
• Protocol-specific examples - TCP, HTTP, TLS focused analysis

📊 Performance & Benchmarks

Multi-Protocol Performance Summary

Protocol	Detection Speed	Full Analysis	Primary Use Case
TCP	83.3M pps	975.6K pps	OS fingerprinting, MTU detection
HTTP	142.9M pps	526.6K pps	Browser/server detection
TLS	48M pps	45K pps	JA4 fingerprinting, TLS analysis

All protocols scale with multiple workers: TCP to 2.11M pps (4 workers), HTTP to 1.54M pps (2 workers), TLS to 97K pps (2–4 workers). See benches/README.md for methodology and capacity planning.

Validated Device Categories

• Desktop Operating Systems - Windows (XP/7/8/10), Linux distributions, macOS
• Mobile Devices - Android devices, iPhone/iPad
• Gaming Consoles - Nintendo 3DS, Nintendo Wii
• Web Browsers - Chrome, Firefox, Safari, Edge, Opera
• Web Servers - Apache, nginx, IIS, lighttpd
• Network Tools - wget, curl, various crawlers and bots
• Legacy Systems - Older Windows versions, Unix variants

Based on signatures available in the p0f database. See huginn-net-db/config/p0f.fp for complete signature list.

Advanced Features

Multi-Protocol Support

• TCP SYN/SYN+ACK fingerprinting for OS detection
• HTTP Request/Response analysis for application identification
• TLS ClientHello analysis with JA4 fingerprinting for client identification, including the stable variant JA4_s1 / JA4_s1r
• MTU Discovery for link type detection
• Uptime Estimation from TCP timestamps (limited accuracy on modern systems)
• Custom Signature Databases - bring your own signatures or contribute to the shared database

Packet Filtering

Optional packet filtering by port and/or IP address for improved performance. Filters are applied before full packet parsing, reducing CPU overhead. Available across all crates. See Examples & Tutorials for usage.

Matching Quality

Each match gets a quality score based on the distance between the observed packet and the closest known signature. A richer database means better scores.

Quality Metrics

• Perfect Match (1.0): Exact signature match with zero distance
• High Quality (0.8-0.95): Very close match with minimal differences
• Medium Quality (0.6-0.8): Good match with some variations
• Low Quality (0.4-0.6): Acceptable match but with notable differences
• Poor Quality (<0.4): Weak match, use with caution

TLS JA4 Fingerprinting

This implementation follows the official JA4 specification by FoxIO, LLC for TLS client fingerprinting. For full attribution and licensing details, please see the Attribution section. We do not implement JA4+ components which are under FoxIO License 1.1.

Companion Projects

Network Scanning & Testing

For visual analysis and experimentation, use our companion web application:

huginn-net-profiler: Passive Network Profile Analyzer

Features:

• Real-time fingerprint visualization
• Interactive signature database exploration
• Custom pattern testing and validation

Reverse Proxy

Experimental, Not yet ready for production use:

huginn-proxy: High-Performance Reverse Proxy with Fingerprinting (Currently in active development)

Features:

• TLS termination with ALPN support
• Automatic fingerprint extraction (JA4, Akamai HTTP/2)
• Fingerprint injection as HTTP headers (x-huginn-net-ja4, x-huginn-net-akamai)
• Load balancing and path-based routing

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for detailed information on how to get started.

Next Milestones

• Enhanced Database - Continuous signature updates and community contributions
• Advanced Analytics - Pattern analysis and reporting tools
• Real-time Streaming - High-performance packet processing pipelines

📄 License

Dual-licensed under MIT or Apache 2.0.

Attribution

huginn-net is an independent Rust implementation inspired by the methodologies of p0f and JA4.

• p0f: The TCP fingerprinting is inspired by the original p0f by Michał Zalewski. The logic has been rewritten from scratch in Rust to ensure memory safety and performance.
• JA4: The TLS fingerprinting adheres to the JA4 specification by FoxIO, LLC, which is available under the BSD 3-Clause license. Our implementation was written from scratch for huginn-net and does not use any code from the original JA4 repository. JA4 methodology and specification are Copyright (c) 2023, FoxIO, LLC.