Overview
Huginn Net is a modular ecosystem of Rust libraries for passive fingerprinting and analysis of multiple network protocols, including TCP, HTTP, and TLS.
Inspired by p0f and JA4, Huginn Net extends passive OS fingerprinting and TLS fingerprinting to support modern detection standards and multi-protocol analysis.
The ecosystem consists of 5 specialized crates that can be used independently or together, providing maximum flexibility for your network analysis needs.
It leverages pnet, pcap-file, and tls-parser to analyze raw packets and extract protocol-specific features for robust, non-intrusive network monitoring.
This ecosystem is under active development. Feedback and contributions welcome.
Network Stack (OSI Model)
| Layer | Name | Protocol / Feature | Example in Huginn Net |
|---|---|---|---|
| 7 | Application Layer | TLS | JA4 (FoxIO-style) |
| 7 | Application Layer | HTTP | HTTP/1.1 & HTTP/2, Headers, Cookies, Referer, User-Agent, Lang |
| 4 | Transport Layer | TCP | OS Fingerprinting (p0f-style) |
Passive Fingerprinting Introduction
Passive fingerprinting is a technique that allows you to infer information about a remote host's operating system, network stack, and browser without sending any probes. By analyzing characteristics of incoming TCP packets (such as window size, TTL, and TCP options), HTTP requests and responses, and TLS handshake packets.
Huginn Net Ecosystem
The Huginn Net ecosystem consists of 5 specialized crates:
- huginn-net - Complete multi-protocol analysis suite
- huginn-net-tcp - TCP fingerprinting & OS detection
- huginn-net-http - HTTP analysis & browser detection
- huginn-net-tls - JA4 TLS client fingerprinting
- huginn-net-db - P0f database parser & matching engine
For detailed information about each crate, see the Ecosystem documentation.
To get started with cargo, choose your approach:
Multi-Protocol Analysis
[dependencies]
huginn-net = ""Protocol-Specific Analysis
[dependencies]
huginn-net-tcp = "" # TCP/OS fingerprinting only
huginn-net-http = "" # HTTP analysis only
huginn-net-tls = "" # TLS/JA4 analysis onlyWhy choose Huginn Net?
No third-party tools - No tshark, wireshark, or external tools required
Same accuracy as p0f - Validated against extensive device testing
Modern Rust implementation - Memory safety and zero-cost abstractions
Production performance - Processes packets in ~3.1ms with comparable speed to original p0f
Type-safe architecture - Prevents entire classes of bugs at compile time
Comprehensive testing - Full unit and integration test coverage
Simple integration - Pure Rust implementation, no system libraries required
Multi-protocol support - TCP, HTTP/1.x, HTTP/2, and TLS analysis in one unified interface
Optional packet filtering - Filter by port, IP address, or subnet to reduce processing overhead
Parallel processing - Multi-threaded worker pools for high-throughput live capture
Active development - Continuously improved and maintained
Use Cases
Network Security Analysis - Identify devices, applications, and TLS clients without active scanning
Asset Discovery - Map network infrastructure and application stack passively and safely
Threat Detection - Detect hidden systems, suspicious TLS clients, and malicious applications
Application Monitoring - Track browser types, versions, and TLS capabilities across networks
Research & Forensics - Analyze traffic patterns, TLS usage, and improve security posture
Compliance Monitoring - Track device types, OS versions, and TLS configurations
Inspiration
Library is heavily inspired by ideas from p0f and JA4.
p0f: Passive OS fingerprinting tool that analyzes TCP/IP stack behavior to identify operating systems without sending any probes.
JA4: Modern TLS fingerprinting standard that provides a structured way to identify client software and detect anomalies in TLS handshakes.
License
Licensed under the MIT License and Apache 2.0 License for best adaptability to different use cases.