Quick Example

This page shows quick examples for using Huginn Net ecosystem crates for passive fingerprinting and analysis.

Choose the approach that best fits your needs:

  • Complete Analysis - Use huginn-net for multi-protocol analysis
  • TCP Only - Use huginn-net-tcp for OS detection and TCP analysis
  • HTTP Only - Use huginn-net-http for browser and server detection
  • TLS Only - Use huginn-net-tls for JA4 fingerprinting

Complete Multi-Protocol Analysis

Use huginn-net when you need comprehensive analysis across all protocols:

use clap::{Parser, Subcommand};
use huginn_net::db::Database;
use huginn_net::fingerprint_result::FingerprintResult;
use huginn_net::HuginnNet;
use std::sync::mpsc;
use std::thread;
use tracing::info;

#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
    #[command(subcommand)]
    command: Commands,
}

#[derive(Subcommand, Debug)]
enum Commands {
    Live {
        /// Network interface name
        #[arg(short = 'i', long)]
        interface: String,
    },
    Pcap {
        /// Path to PCAP file
        #[arg(short = 'f', long)]
        file: String,
    },
}

fn main() {
    let args = Args::parse();
    let db = Box::leak(Box::new(Database::default()));
    let (sender, receiver) = mpsc::channel();

    thread::spawn(move || {
        let config = AnalysisConfig {
            tcp_analysis: true,
            http_analysis: true,
            tls_analysis: true,
        };
        let mut analyzer = HuginnNet::new(db, 100, Some(config));

        let result = match args.command {
            Commands::Live { interface } => {
                info!("Starting live capture on interface: {}", interface);
                analyzer.analyze_network(&interface, sender)
            }
            Commands::Pcap { file } => {
                info!("Analyzing PCAP file: {}", file);
                analyzer.analyze_pcap(&file, sender)
            }
        };

        if let Err(e) = result {
            eprintln!("Analysis failed: {}", e);
        }
    });

    // Process results
    for output in receiver {
        if let Some(syn) = output.syn {
            info!("{}", syn);
        }
        if let Some(syn_ack) = output.syn_ack {
            info!("{}", syn_ack);
        }
        if let Some(mtu) = output.mtu {
            info!("{}", mtu);
        }
        if let Some(uptime) = output.uptime {
            info!("{}", uptime);
        }
        if let Some(http_request) = output.http_request {
            info!("{}", http_request);
        }
        if let Some(http_response) = output.http_response {
            info!("{}", http_response);
        }
        if let Some(ja4_client) = output.ja4_client {
            info!("{}", ja4_client);
        }
    }
}

// Usage examples:
// Live capture: cargo run -- live -i eth0
// PCAP analysis: cargo run -- pcap -f traffic.pcap

TCP-Only Analysis (huginn-net-tcp)

Use huginn-net-tcp for OS detection, MTU calculation, and uptime estimation:

use huginn_net_tcp::{HuginnNetTcp, TcpAnalysisResult, HuginnNetTcpError};
use huginn_net_db::Database;
use std::sync::mpsc;
use std::thread;

fn main() -> Result<(), HuginnNetTcpError> {
    let db = Database::load_default()?;
    let mut analyzer = HuginnNetTcp::new(Some(&db), 1000)?;
    
    let (sender, receiver) = mpsc::channel::<TcpAnalysisResult>();
    
    let handle = thread::spawn(move || {
        analyzer.analyze_network("eth0", sender, None)
    });
    
    for result in receiver {
        if let Some(syn) = result.syn {
            println!("{}", syn);
        }
        if let Some(syn_ack) = result.syn_ack {
            println!("{}", syn_ack);
        }
        if let Some(mtu) = result.mtu {
            println!("{}", mtu);
        }
        if let Some(uptime) = result.uptime {
            println!("{}", uptime);
        }
    }
    
    handle.join().unwrap()?;
    Ok(())
}

HTTP-Only Analysis (huginn-net-http)

Use huginn-net-http for browser detection and web server identification:

use huginn_net_http::{HuginnNetHttp, HttpAnalysisResult, HuginnNetHttpError};
use huginn_net_db::Database;
use std::sync::mpsc;
use std::thread;

fn main() -> Result<(), HuginnNetHttpError> {
    let db = Database::load_default()?;
    let mut analyzer = HuginnNetHttp::new(Some(&db), 1000)?;
    
    let (sender, receiver) = mpsc::channel::<HttpAnalysisResult>();
    
    let handle = thread::spawn(move || {
        analyzer.analyze_network("eth0", sender, None)
    });
    
    for result in receiver {
        if let Some(http_request) = result.http_request {
            println!("{}", http_request);
        }
        if let Some(http_response) = result.http_response {
            println!("{}", http_response);
        }
    }
    
    handle.join().unwrap()?;
    Ok(())
}

TLS-Only Analysis (huginn-net-tls)

Use huginn-net-tls for JA4 fingerprinting and TLS client identification:

use huginn_net_tls::{HuginnNetTls, TlsClientOutput, HuginnNetTlsError};
use std::sync::mpsc;
use std::thread;

fn main() -> Result<(), HuginnNetTlsError> {
    let mut analyzer = HuginnNetTls::new();
    
    let (sender, receiver) = mpsc::channel::<TlsClientOutput>();
    
    let handle = thread::spawn(move || {
        analyzer.analyze_network("eth0", sender, None)
    });
    
    for tls in receiver {
        println!("{}", tls);
    }
    
    handle.join().unwrap()?;
    Ok(())
}

PCAP File Analysis

All crates support PCAP file analysis. Simply replace analyze_network with analyze_pcap:

// For any of the above examples, replace:
analyzer.analyze_network("eth0", sender, None)

// With:
analyzer.analyze_pcap("capture.pcap", sender, None)

Key Differences

  • huginn-net-tcp and huginn-net-http require a database for signature matching
  • huginn-net-tls works without a database (JA4 is computed algorithmically)
  • huginn-net combines all protocols and provides unified results
  • Protocol-specific crates offer better performance for targeted analysis
Ecosystem SYN and SYN+ACK Packets