JA4+ Network Fingerprinting Sensor

Reverse proxy and firewall in the traffic path. XDP-based packet filtering, threat intelligence, and automated response. Traffic flows through Synapse; it can block, allow, or modify.

Observation-only sensor. Works with mirrored or tapped traffic—no inline deployment. JA4+ fingerprinting (userland and eBPF) for visibility, analytics, and threat hunting. Traffic is never modified or blocked.

Mirrored Traffic

Works with SPAN/mirror ports and network taps. No inline deployment—observe traffic without affecting latency or availability.

JA4+ Suite

JA4T, JA4TS, JA4, JA4S, JA4H, JA4L, JA4SSH, JA4X, JA4D, JA4D6. TCP, TLS, HTTP, SSH, DHCP fingerprinting in one sensor.

CLI & Library

Live capture and file analysis via CLI. Rust library with serde, wildcard matching, and optional eBPF support for kernel integration.

TCP SYN (client) and SYN-ACK (server) fingerprints.

TLS Client Hello and Server Hello fingerprints.

HTTP headers and latency/distance fingerprints.

SSH session, X.509 cert, DHCP (IPv4), and DHCPv6 fingerprints.

Attach to a SPAN port or tap. Fingerprint all traffic for visibility, threat hunting, and analytics without putting anything inline.

Use Nstealth as a sensor layer; feed fingerprint data to Synapse, SIEM, or custom pipelines. Sensor and firewall can run independently or together.

Identify bots, scrapers, and automated tools by TLS/TCP fingerprints. No client-side JavaScript—works for APIs, mobile apps, and headless traffic.

See clients behind VPNs and proxies via JA4+ fingerprints. Estimate client type and behavior without relying on source IP.

Detect malware, C2, and rogue infrastructure from fingerprint patterns. DHCP (JA4D/JA4D6) and SSH (JA4SSH) help find unauthorized devices and sessions.

Fingerprint DHCP and DHCPv6 to spot rogue DHCP servers, unknown clients, and device types. Use JA4D/JA4D6 on mirrored LAN traffic.