CLI

The Nstealth CLI provides live packet capture, fingerprint parsing, and optional JSON output. Build or install with the full or capture feature.

Live capture

Capture and fingerprint traffic on an interface:

# Basic TCP capture
sudo nstealth capture -i eth0

# TLS on port 443
sudo nstealth capture -i eth0 --pcap 'tcp port 443'

# SSH
sudo nstealth capture -i enp0s5 --pcap 'tcp port 22'

# DHCP (UDP 67/68)
sudo nstealth capture -i eth0 --pcap 'udp port 67 or udp port 68'

# JSON output
sudo nstealth capture -i eth0 -o json

# Verbose (source port, MSS, window scale)
sudo nstealth capture -i eth0 -v

Parse mode

Parse and validate fingerprint strings:

nstealth parse ja4t "65535_2-4-8-1-3_1460_7"
nstealth parse ja4ts "65535_2-4-8-1-3_1460_7"
nstealth parse ja4t "65535_2-4-8-1-3_1460_7" -o json

Output formats

Plain (default):

[2024-01-15 10:30:45] 192.168.1.100 -> 93.184.216.34
  JA4T:  65535_2-4-8-1-3_1460_7
  JA4TS: 65535_2-4-8_1460_0
  JA4:   t13d1516h2_8daaf6152771_e5627efa2ab1
  JA4S:  t1302h2_1301_a56c5b993250

JSON (-o json):

{
  "timestamp": "2024-01-15T10:30:45Z",
  "src_ip": "192.168.1.100",
  "dst_ip": "93.184.216.34",
  "src_port": 54321,
  "dst_port": 443,
  "ja4t": "65535_2-4-8-1-3_1460_7",
  "ja4ts": "65535_2-4-8_1460_0",
  "ja4": "t13d1516h2_8daaf6152771_e5627efa2ab1",
  "ja4s": "t1302h2_1301_a56c5b993250"
}

pcap filter syntax

The --pcap option uses standard BPF filter expressions:

--pcap 'tcp'                          # TCP only
--pcap 'tcp port 443'                 # HTTPS
--pcap 'tcp portrange 1-1024'         # Port range
--pcap 'host 192.168.1.1'             # Host
--pcap 'tcp port 443 or tcp port 80'  # Multiple
--pcap 'udp port 67 or udp port 68'   # DHCP
--pcap 'tcp port 22'                  # SSH

Next

• Library usage — Rust API and fingerprint types
• Installation — Install options