Library
The Nstealth library provides JA4+ fingerprint types, builders, parsers, and utilities. The core has no I/O; use the capture feature for live capture and bpf for eBPF integration.
TCP fingerprinting (JA4T / JA4TS)
use nstealth::{Ja4t, Ja4ts, Ja4tPattern};
// Build JA4T from raw TCP values (client SYN)
let ja4t = Ja4t::new(65535, &[2, 3], Some(1460), Some(7));
println!("{}", ja4t.fingerprint()); // "65535_2-3_1460_7"
// Build JA4TS from server SYN-ACK
let ja4ts = Ja4ts::new(65535, &[2, 4, 8, 1, 3], Some(1460), Some(7));
println!("{}", ja4ts.fingerprint()); // "65535_2-4-8-1-3_1460_7"
// Parse from string
let parsed = Ja4t::parse("65535_2-3_1460_7").unwrap();
// Wildcard pattern matching
let pattern = Ja4tPattern::parse("*_2-3_1460_*").unwrap();
assert!(parsed.matches(&pattern));
DHCP fingerprinting (JA4D)
use nstealth::{Ja4d, DhcpMessageType};
let ja4d = Ja4d::new(
DhcpMessageType::Discover,
vec![53, 55, 60, 61],
vec![1, 3, 6, 15, 28, 51, 58, 59],
Some("MSFT 5.0".to_string()),
);
println!("{}", ja4d.fingerprint()); // "disco_8_..."
// Parse from DHCP packet payload
if let Some(ja4d) = Ja4d::from_dhcp_payload(&dhcp_data) {
println!("Client MAC: {:?}", ja4d.client_mac_str());
println!("Vendor: {:?}", ja4d.vendor_class);
}
Features
- Builder pattern — Construct fingerprints from raw values.
- Parser functions — Parse fingerprint strings back to structs.
- Serde — Serialize/deserialize for APIs and logging (enable
jsonfeature). - Wildcard matching — Pattern matching for filtering (e.g.
Ja4tPattern). - eBPF — Optional
bpffeature for BPF data types and kernel integration.
Fingerprint types in the library
| Type | Module / types | Description |
|---|---|---|
| JA4T | Ja4t, Ja4tPattern | TCP SYN (client) |
| JA4TS | Ja4ts | TCP SYN-ACK (server) |
| JA4 | TLS Client Hello | |
| JA4S | TLS Server Hello | |
| JA4H | HTTP headers | |
| JA4L | Latency/distance | |
| JA4SSH | SSH session | |
| JA4X | X.509 certificate | |
| JA4D | Ja4d, DhcpMessageType | DHCP (IPv4) |
| JA4D6 | DHCPv6 |
See the Nstealth crate documentation and GitHub for full API details.
Next
- CLI — Live capture and parse commands
- Installation — Install and feature flags