Support FAQ

Inside a Mercury NPF Fingerprint

Back to learning

A Network Protocol Fingerprint (NPF) is an ordered tree of byte strings. Its printable form uses hexadecimal for bytes and punctuation for structure. This makes the full fingerprint longer than a compact hash, but it preserves which selected values were observed and how they were grouped.

The format is documented in Cisco's draft NPF specification. “Draft” matters: implementations should pin a repository revision and retain the format name rather than assuming an unversioned string will always mean the same thing.

How does the notation work?

A byte string is enclosed in round brackets. For example, (0303) contains the two bytes 03 03. An ordered list is another pair of round brackets around its elements:

((04)(08)(01)(030307))

A lexicographically sorted list uses square brackets:

[(01)(030307)(04)(08)]

The brackets are not decoration. They say that the rule sorted that list as part of normalisation. Round-bracket lists preserve the order defined by the format. Nested lists let NPF retain relationships that a flat comma-separated sequence would discard.

Selection and normalisation are rule-specific

NPF does not mean “hex-encode the packet.” Each protocol format says which fields to keep, which values to reduce or replace, and which sequences to sort.

For TLS, the current draft documents three formats. The older tls format keeps extension order. tls/1 sorts all represented extensions. tls/2 sorts only selected extensions and applies additional rules to included, unassigned, and private-use extension identifiers. The TLS rules also map all GREASE cipher-suite and extension values to 0a0a rather than preserving their rotating wire values.

Those versions are not interchangeable. If two systems compare fingerprints, they need to agree on the protocol format and rule version. The version is part of the meaning, not merely release metadata.

Full string or hash nickname?

NPF defines two representations:

  • The string representation contains the hexadecimal values and tree structure. It supports direct inspection and can support exact, prefix, or approximate comparison strategies.
  • The hash representation applies SHA-256 to the string and retains 32 hexadecimal characters. It has a fixed length and is convenient for indexes and logs, but it is not reversible and supports exact matching only.

The specification describes the hash as a nickname for the full representation, not a replacement for it. Keeping only the hash removes the structure that makes NPF useful for investigation and partial comparison. It also prevents an operator from seeing which selected feature changed.

The naming scheme can carry a protocol, an optional rule identifier, and either representation. The precise URI-style naming rules are in the draft specification. In operational data, retain the full format identifier alongside the fingerprint so later software does not silently reinterpret it.

What the structure does not provide

A detailed representation is still only an observation of selected protocol features. It does not name an application with certainty. Different applications can use the same library and produce the same tree. The same application can change its tree after an upgrade or configuration change. An active client can deliberately imitate another implementation.

NPF also does not remove capture limitations. A truncated handshake may permit only a prefix comparison; a TLS-terminating intermediary changes which implementation is visible from each side. Store capture point, time, tool revision, and rule version with the result.

Start with what Cisco Mercury fingerprinting is for the collector/format boundary. For how Cisco's research adds labels and destination evidence, read destination context and TLS attribution. The Mercury, JA4 and JA3 comparison explains when this retained structure is useful and when a compact identifier is the better fit.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.