huginn-net
Multi-protocol passive fingerprinting library: TCP/HTTP (p0f-style) + TLS (JA4) analysis.
This is the main orchestrator crate that combines all protocol analyzers into a unified interface.
Quick Start
Installation
Add to your Cargo.toml
:
[]
= "1.5.1"
Examples & Tutorials
Complete Usage Guide - Detailed examples with:
- Live network capture - Real-time analysis
- PCAP file analysis - Offline traffic analysis
- Protocol-specific examples - TCP, HTTP, TLS focused analysis
Basic Usage
Live Network Analysis
use ;
use HuginnNetError;
use mpsc;
use thread;
PCAP File Analysis
use ;
use HuginnNetError;
use mpsc;
use thread;
For complete working examples, see examples/capture.rs
.
Package Analysis Output
.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (syn) ]-
|
| client = 1.2.3.4/1524
| os = Windows XP
| dist = 8
| params = none
| raw_sig = 4:120+8:0:1452:65535,0:mss,nop,nop,sok:df,id+:0
`----
.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (syn+ack) ]-
|
| server = 4.3.2.1/80
| os = Linux 3.x
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*10,0:mss,nop,nop,sok:df:0
`----
.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (mtu) ]-
|
| client = 1.2.3.4/1524
| link = DSL
| raw_mtu = 1492
`----
.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (uptime) ]-
|
| client = 1.2.3.4/1524
| uptime = 0 days 11 hrs 16 min (modulo 198 days)
| raw_freq = 250.00 Hz
`----
.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (http request) ]-
|
| client = 1.2.3.4/1524
| app = Firefox:10.x or newer
| lang = English
| params = none
| raw_sig = 1:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],Connection=[keep-alive],?Referer:Accept-Charset,Keep-Alive:Firefox/
`----
.-[ 192.168.1.22/58494 -> 91.189.91.21/80 (http response) ]-
|
| server = 91.189.91.21/80
| app = nginx/1.14.0 (Ubuntu)
| params = anonymous
| raw_sig = server=[nginx/1.14.0 (Ubuntu)],date=[Tue, 17 Dec 2024 13:54:16 GMT],x-cache-status=[from content-cache-1ss/0],connection=[close]:Server,Date,X-Cache-Status,Connection:
`----
.-[ 192.168.1.10/45234 -> 172.217.5.46/443 (tls client) ]-
|
| client = 192.168.1.10/45234
| ja4 = t13d1516h2_8daaf6152771_b0da82dd1658
| ja4_r = t13d1516h2_002f,0035,009c,009d,1301,1302,1303_0005,000a,000b,000d,0012,0015,002b,0033,002d
| ja4_o = t13d1516h2_8daaf6152771_b0da82dd1658
| ja4_or = t13d1516h2_002f,0035,009c,009d,1301,1302,1303_0005,000a,000b,000d,0012,0015,002b,0033,002d
| sni = www.google.com
| version = 1.3
`----
Protocol Crates
For individual protocol analysis, you can use the specific crates:
- huginn-net-tcp - TCP fingerprinting (p0f-style)
- huginn-net-http - HTTP analysis
- huginn-net-tls - TLS fingerprinting (JA4)
Documentation
For complete documentation, examples, and usage guides, see the main repository.
License
Licensed under either of Apache License, Version 2.0 or MIT license at your option.