Quick Example · Huginn Net: Multi-Protocol Passive Fingerprinting

This is a quick example showing how to use Huginn Net for passive fingerprinting and analysis of TCP, HTTP, and TLS traffic.

Initialize the database and Huginn Net engine required for TCP and HTTP analysis (Original p0f database).
Use subcommands to choose between live network capture or PCAP file analysis.
Process and log various TCP, HTTP, and TLS characteristics detected with quality scores.
TLS analysis requires a database with JA4 client signatures (JA4 database is not included in this repository).
To disable any analysis you don't need, pass false to the corresponding field in the AnalysisConfig struct.

use clap::{Parser, Subcommand};
use huginn_net::db::Database;
use huginn_net::fingerprint_result::FingerprintResult;
use huginn_net::HuginnNet;
use std::sync::mpsc;
use std::thread;
use tracing::info;

#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
    #[command(subcommand)]
    command: Commands,
}

#[derive(Subcommand, Debug)]
enum Commands {
    Live {
        /// Network interface name
        #[arg(short = 'i', long)]
        interface: String,
    },
    Pcap {
        /// Path to PCAP file
        #[arg(short = 'f', long)]
        file: String,
    },
}

fn main() {
    let args = Args::parse();
    let db = Box::leak(Box::new(Database::default()));
    let (sender, receiver) = mpsc::channel();

    thread::spawn(move || {
        let config = AnalysisConfig {
            tcp_analysis: true,
            http_analysis: true,
            tls_analysis: true,
        };
        let mut analyzer = HuginnNet::new(db, 100, Some(config));

        let result = match args.command {
            Commands::Live { interface } => {
                info!("Starting live capture on interface: {}", interface);
                analyzer.analyze_network(&interface, sender)
            }
            Commands::Pcap { file } => {
                info!("Analyzing PCAP file: {}", file);
                analyzer.analyze_pcap(&file, sender)
            }
        };

        if let Err(e) = result {
            eprintln!("Analysis failed: {}", e);
        }
    });

    // Process results
    for output in receiver {
        if let Some(syn) = output.syn {
            info!("{}", syn);
        }
        if let Some(syn_ack) = output.syn_ack {
            info!("{}", syn_ack);
        }
        if let Some(mtu) = output.mtu {
            info!("{}", mtu);
        }
        if let Some(uptime) = output.uptime {
            info!("{}", uptime);
        }
        if let Some(http_request) = output.http_request {
            info!("{}", http_request);
        }
        if let Some(http_response) = output.http_response {
            info!("{}", http_response);
        }
        if let Some(ja4_client) = output.ja4_client {
            info!("{}", ja4_client);
        }
    }
}

// Usage examples:
// Live capture: cargo run -- live -i eth0
// PCAP analysis: cargo run -- pcap -f traffic.pcap