Overview
Huginn Net is a modular ecosystem of Rust libraries for passive fingerprinting and analysis of multiple network protocols, including TCP, HTTP, and TLS.
Inspired by p0f, JA4, and the Akamai HTTP/2 fingerprinting spec, Huginn Net extends passive OS fingerprinting, TLS fingerprinting, and HTTP/2 analysis to support modern detection standards and multi-protocol analysis.
The ecosystem consists of 5 specialized crates that can be used independently or together, providing maximum flexibility for your network analysis needs.
It leverages pnet, pcap-file, and tls-parser to analyze raw packets and extract protocol-specific features for robust, non-intrusive network monitoring.
This ecosystem is under active development. Feedback and contributions welcome.
Network Stack (OSI Model)
Section titled “Network Stack (OSI Model)”| Layer | Name | Protocol / Feature | Example in Huginn Net |
|---|---|---|---|
| 7 | Application Layer | TLS | JA4 (FoxIO-style) |
| 7 | Application Layer | HTTP | HTTP/1.1 & HTTP/2, Headers, Cookies, Referer, User-Agent, Lang |
| 4 | Transport Layer | TCP | OS Fingerprinting (p0f-style) |
Passive Fingerprinting Introduction
Section titled “Passive Fingerprinting Introduction”Passive fingerprinting is a technique that allows you to infer information about a remote host’s operating system, network stack, and browser without sending any probes. By analyzing characteristics of incoming TCP packets (such as window size, TTL, and TCP options), HTTP requests and responses, and TLS handshake packets.
Huginn Net Ecosystem
Section titled “Huginn Net Ecosystem”The Huginn Net ecosystem consists of 5 specialized crates:
- huginn-net - Complete multi-protocol analysis suite
- huginn-net-tcp - TCP fingerprinting & OS detection
- huginn-net-http - HTTP analysis & browser detection
- huginn-net-tls - JA4 TLS client fingerprinting
- huginn-net-db - P0f database parser & matching engine
For detailed information about each crate, see the Ecosystem documentation.
To get started with cargo, choose your approach:
Multi-Protocol Analysis
Section titled “Multi-Protocol Analysis”[dependencies]huginn-net = "1.7.4"Protocol-Specific Analysis
Section titled “Protocol-Specific Analysis”[dependencies]huginn-net-tcp = "1.7.4" # TCP/OS fingerprinting onlyhuginn-net-http = "1.7.4" # HTTP analysis onlyhuginn-net-tls = "1.7.4" # TLS/JA4 analysis onlyThe version strings above are resolved when the documentation site is built (each crate’s current max_version on crates.io).
Why choose Huginn Net?
Section titled “Why choose Huginn Net?”- No third-party tools - No tshark, wireshark, or external tools required
- Same accuracy as p0f - Validated against extensive device testing
- Modern Rust implementation - Memory safety and zero-cost abstractions
- Production performance - Processes packets in ~3.1ms with comparable speed to original p0f
- Type-safe architecture - Prevents entire classes of bugs at compile time
- Comprehensive testing - Full unit and integration test coverage
- Simple integration - Pure Rust implementation, no system libraries required
- Multi-protocol support - TCP, HTTP/1.x, HTTP/2, and TLS analysis in one unified interface
- Optional packet filtering - Filter by port, IP address, or subnet to reduce processing overhead
- Parallel processing - Multi-threaded worker pools for high-throughput live capture
- Active development - Continuously improved and maintained
Use Cases
Section titled “Use Cases”- Network Security Analysis - Identify devices, applications, and TLS clients without active scanning
- Asset Discovery - Map network infrastructure and application stack passively and safely
- Threat Detection - Detect hidden systems, suspicious TLS clients, and malicious applications
- Application Monitoring - Track browser types, versions, and TLS capabilities across networks
- Research & Forensics - Analyze traffic patterns, TLS usage, and improve security posture
- Compliance Monitoring - Track device types, OS versions, and TLS configurations
Inspiration
Section titled “Inspiration”Library is heavily inspired by ideas from p0f, JA4 and Akamai.
- p0f: Passive OS fingerprinting tool that analyzes TCP/IP stack behavior to identify operating systems without sending any probes, follows the p0f v3 specification by Michal Zalewski.
- JA4: Modern TLS fingerprinting standard that provides a structured way to identify client software and detect anomalies in TLS handshakes, specification by FoxIO, LLC.
- Akamai HTTP/2: HTTP/2 fingerprinting follows the Blackhat EU 2017 specification.
License
Section titled “License”Licensed under the MIT License and Apache 2.0 License for best adaptability to different use cases.