Overview · Huginn Net: Multi-Protocol Passive Fingerprinting

Huginn Net is a modular ecosystem of Rust libraries for passive fingerprinting and analysis of multiple network protocols, including TCP, HTTP, and TLS.
Inspired by p0f and JA4, Huginn Net extends passive OS fingerprinting and TLS fingerprinting to support modern detection standards and multi-protocol analysis.
The ecosystem consists of 5 specialized crates that can be used independently or together, providing maximum flexibility for your network analysis needs.
It leverages pnet, pcap-file, and tls-parser to analyze raw packets and extract protocol-specific features for robust, non-intrusive network monitoring.
This ecosystem is under active development. Feedback and contributions welcome.

Network Stack (OSI Model)

Layer	Name	Protocol / Feature	Example in Huginn Net
7	Application Layer	TLS	JA4 (FoxIO-style)
7	Application Layer	HTTP	HTTP/1.1 & HTTP/2, Headers, Cookies, Referer, User-Agent, Lang
4	Transport Layer	TCP	OS Fingerprinting (p0f-style)

Passive Fingerprinting Introduction

Passive fingerprinting is a technique that allows you to infer information about a remote host's operating system, network stack, and browser without sending any probes. By analyzing characteristics of incoming TCP packets (such as window size, TTL, and TCP options), HTTP requests and responses, and TLS handshake packets.

Huginn Net Ecosystem

The Huginn Net ecosystem consists of 5 specialized crates:

huginn-net - Complete multi-protocol analysis suite
huginn-net-tcp - TCP fingerprinting & OS detection
huginn-net-http - HTTP analysis & browser detection
huginn-net-tls - JA4 TLS client fingerprinting
huginn-net-db - P0f database parser & matching engine

For detailed information about each crate, see the Ecosystem documentation.

To get started with cargo, choose your approach:

Multi-Protocol Analysis

[dependencies]
huginn-net = ""

Protocol-Specific Analysis

[dependencies]
huginn-net-tcp = ""   # TCP/OS fingerprinting only
huginn-net-http = ""  # HTTP analysis only
huginn-net-tls = ""   # TLS/JA4 analysis only

Features

Passive Analysis: Unlike active fingerprinting tools, huginn-net does not send any packets to the target host, making it less intrusive and more stealthy.
Modern Rust Implementation: Leveraging Rust's safety and concurrency features, huginn-net provides a reliable and efficient library for passive fingerprinting.
Extensibility: Designed with modularity in mind, allowing for easy addition of new fingerprinting signatures and heuristics.
Integration-Friendly: Can be integrated into various Rust-based network analysis tools and applications.

Use Cases

Network Monitoring: Identify operating systems and network devices on your network without active scanning.
Security Analysis: Detect potentially unauthorized devices or unexpected changes in your network's landscape.
Research: Study the distribution of operating systems and network stacks in different environments.

Inspiration

Library is heavily inspired by ideas from p0f and JA4.

p0f: Passive OS fingerprinting tool that analyzes TCP/IP stack behavior to identify operating systems without sending any probes.
JA4: Modern TLS fingerprinting standard that provides a structured way to identify client software and detect anomalies in TLS handshakes.

License

Licensed under the MIT License and Apache 2.0 License for best adaptability to different use cases.