Nstealth - JA4+ Fingerprinting Sensor
Nstealth is a JA4+ fingerprinting sensor: a Rust library and CLI for capturing and analyzing network fingerprints. It is designed for observation-only deployment—typically on mirrored or tapped traffic—so it does not sit in the traffic path.
Nstealth vs Synapse
| Synapse | Nstealth | |
|---|---|---|
| Role | Inline reverse proxy & firewall | Out-of-band sensor |
| Traffic | Traffic flows through Synapse | Works with mirrored/tapped traffic |
| Actions | Block, allow, challenge | Observe and fingerprint only |
| Deployment | Kernel (XDP), inline | Userland (libpcap) and optional eBPF |
Use Synapse when you need to enforce policy (block/allow by IP, fingerprint, WAF). Use Nstealth when you need visibility and fingerprinting on a copy of traffic without any inline device.
Partnership
Nstealth is developed in partnership with FoxIO, creators of the JA4+ fingerprinting standard.
What Nstealth Provides
- Library — Pure types and algorithms for JA4+ (no I/O in core). Builder pattern, parsers, serde, wildcard matching. Optional eBPF types for kernel integration.
- CLI — Live packet capture and fingerprint analysis. Parse and validate fingerprint strings.
- Fingerprint types — JA4T, JA4TS, JA4, JA4S, JA4H, JA4L, JA4SSH, JA4X, JA4D, JA4D6.
Use Cases
- Mirror / tap visibility — Attach to a SPAN port or tap. Fingerprint all traffic for visibility, threat hunting, and analytics without putting anything inline.
- Feed Synapse or SIEM — Use Nstealth as a sensor layer; feed fingerprint data to Synapse, SIEM, or custom pipelines. Sensor and firewall can run independently or together.
- Bot & tool detection — Identify bots, scrapers, and automated tools by TLS/TCP fingerprints. No client-side JavaScript—works for APIs, mobile apps, and headless traffic.
- VPN & proxy visibility — See clients behind VPNs and proxies via JA4+ fingerprints. Estimate client type and behavior without relying on source IP.
- Threat hunting & C2 — Detect malware, C2, and rogue infrastructure from fingerprint patterns. DHCP (JA4D/JA4D6) and SSH (JA4SSH) help find unauthorized devices and sessions.
- Rogue device & DHCP — Fingerprint DHCP and DHCPv6 to spot rogue DHCP servers, unknown clients, and device types. Use JA4D/JA4D6 on mirrored LAN traffic.
Supported Fingerprint Types
| Type | Description | Example |
|---|---|---|
| JA4T | TCP SYN (client) | 65535_2-4-8-1-3_1460_7 |
| JA4TS | TCP SYN-ACK (server) | 65535_2-4-8-1-3_1460_7 |
| JA4 | TLS Client Hello | t13d1516h2_8daaf6152771_... |
| JA4S | TLS Server Hello | t1302h2_1301_a56c5b993250 |
| JA4H | HTTP Headers | ge11cr15enus_a1b2c3d4e5f6_... |
| JA4L | Latency/Distance | 12500_64_407 |
| JA4SSH | SSH Session | c14s14_c14s14_c14s14 |
| JA4X | X.509 Certificate | aae71e8db6d7_b186095e22b6_... |
| JA4D | DHCP (IPv4) | disco_8_a1b2c3d4e5f6_000000000000 |
| JA4D6 | DHCPv6 (IPv6) | solicit_6_a1b2c3d4e5f6_... |
Next Steps
- Installation — Install the library or CLI
- CLI usage — Live capture and parse commands
- Library usage — Rust API and fingerprint types