Support FAQ

Public Network Fingerprint Databases and What They Cover

Back to learning

There is no single public fingerprint database covering modern TLS clients, servers, operating systems, HTTP stacks, SSH clients and device profiles with reliable ground truth. The useful public resources solve narrower problems.

This guide groups them by what they actually contain. Counts and access conditions were checked in July 2026 and will change.

Application and implementation mappings

Resource Public format Coverage Current use Main limit
FoxIO JA4 sample CSV JA4, JA4S, JA4H, JA4X, JA4T and JA4TScan Seed mappings and format examples Only 66 rows; sparse provenance
Salesforce JA3 lists CSV Historical macOS/Linux applications Legacy JA3 lookup examples Archived; roughly 159 mappings; no capture metadata
Trisul ja3prints JSONL and CSV Historical applications, browsers and malware Inspectable legacy JA3 mappings Last updated in 2018; unclear dataset-wide licence
FingerprinTLS JSONL and compiled DB Rich historical ClientHello signatures Research and format lineage Archived; most entries are from the 2010s

FoxIO's sample columns are:

Application,Library,Device,OS,ja4,ja4s,ja4h,ja4x,ja4t,ja4tscan,Notes

Only 35 of its 66 rows contain a core JA4 value; other methods have fewer examples. The sample is useful for understanding how several observations can be combined. It is not large enough to establish broad application coverage.

The Salesforce list is simpler:

JA3 MD5 hash, application name or names

Its repository was archived in 2025 and describes the mappings as examples or best guesses. The former crowd-sourced ja3er.com service should be treated as historical unless its ownership and current availability are re-established.

FingerprinTLS keeps more of the source handshake, including record and TLS versions, cipher suites, compression, extensions, groups and signature algorithms. That detail is valuable for historical research, but the labels often lack a source PCAP, capture date and confidence.

Hosted mapping and device-classification services

Service Inputs and outputs Access boundary
JA4DB JA4-family values, application, library, device, OS, notes, observations and detection guidance Account-oriented; public bulk export and dataset licence are unclear
Fingerbank DHCPv4/v6, user agents, OUI/MAC, mDNS and destinations; returns device hierarchy and score API key and service terms; corpus is not an open-source download

JA4DB is the closest current service to a multi-surface network-fingerprint mapping database. Its hosted data should not be confused with the small GitHub CSV or assumed to inherit the BSD licence covering core JA4. Other JA4+ methods use different FoxIO licensing, and the hosted dataset has its own unresolved reuse questions.

Fingerbank is broader than a DHCP lookup. Its API can combine an ordered DHCP option fingerprint with HTTP user agents, MAC information, mDNS services and destination hosts. This can improve device classification, but it also makes the result dependent on contextual data and an opaque classification service.

Prevalence databases

The TLS Fingerprint Observatory exposes a public API over passive observations from the University of Colorado Boulder and Merit Network.

Its TLS records can include:

fingerprint ID
first and last seen
total and per-source observations
TLS version and cipher suites
extensions and supported groups
signature algorithms and ALPN
key-share and supported-version fields
implementation labels where available

At the time of review, the service exposed more than one million distinct TLS fingerprints and billions of observations. Its TLS label count was effectively zero. The smaller QUIC corpus contained several hundred controlled implementation labels among roughly fifteen thousand fingerprints.

The observatory is consequently strong for prevalence and protocol evolution, but weak for general application lookup. Its API and collection engine are public; a clear licence for bulk reuse of the observed dataset was not found.

Passive and active matcher corpora

Resource Observation method Coverage Format
p0f Passive TCP SYN/SYN+ACK, MTU, HTTP traits INI-like signatures
Nmap OS DB Active probes OS family, generation and device type Probe-response records
Nmap service probes Active probes Services, products, versions and devices Probe payloads plus regex matches
Rapid7 Recog Passive or collected responses SSH, HTTP, FTP, SNMP, favicons, JARM and other surfaces XML rules and examples

A p0f TCP rule has compact fields for IP version, TTL, option layout, window size and quirks. Nmap's OS database instead records responses to tests such as SEQ, OPS, WIN, ECN, T1T7, U1 and IE, with weighted approximate matching.

Nmap remains actively maintained, but its data files use the Nmap Public Source License. Incorporation into proprietary products may require separate terms. p0f's upstream signatures are effectively dormant and do not provide strong coverage of current operating systems.

Rapid7 Recog is a maintained general matcher corpus. Its XML fingerprints contain a regular expression, description, examples and labelled parameters such as product, version, vendor, device and CPE. Its public JARM mapping is useful but small—closer to a seed list than comprehensive server intelligence.

Methods with examples but no authoritative public database

Several widely implemented fingerprints have public algorithms and a handful of labels, but no comprehensive maintained mapping database:

  • HASSH hashes ordered SSH key-exchange, encryption, MAC and compression lists. Public repositories provide illustrative OpenSSH, Paramiko, Dropbear and other mappings.
  • JARM actively sends ten TLS ClientHello probes and combines the server responses into a 62-character fingerprint. Salesforce publishes examples; Rapid7 Recog supplies a small maintained rule set.
  • Akamai's HTTP/2 fingerprinting paper documents SETTINGS order, window updates and priority behaviour, but does not publish its underlying application map.

Zeek, Suricata, Splunk and Wireshark can compute, ingest or display fingerprint fields. Tool support is not database coverage.

Threat and malware sources

Source Fingerprint role Format and access Important caution
SSLBL Malicious JA3 observations CC0 CSV and Suricata rules, regenerated every five minutes Not tested against known-good traffic
VirusTotal JA3, JA3S and JA4 pivots from sandbox behaviour Gated web/search service Shared value may mean common library, not common malware

SSLBL's CSV contains the JA3 hash, first seen, last seen and listing reason. It is a threat feed rather than an application database. Its labels describe malware-sample observations and must not be converted into unconditional block rules.

MISP defines objects for storing and exchanging fingerprint observations. ThreatFox stores general IOC types. Neither is a canonical application mapping database merely because a JA3 value can be carried in an event or attribute.

Public implementation, non-public knowledge base

Cisco Mercury publishes NPF generation and the schema for process, operating-system and destination-aware resources. The resource documentation describes files such as fingerprint_db.json and TLS prevalence lists.

The current Cisco-labelled resource database is not public. This distinguishes Mercury from both JA4DB and the TLS Fingerprint Observatory: it publishes the model and software, but not the operational mapping corpus.

Which source fits which question?

Question Better starting point
Has this fingerprint appeared before, and how often? TLS Fingerprint Observatory or local telemetry
What application has been observed using this value? JA4DB/sample or legacy JA3 mappings, with provenance checks
Does this response match a known OS or service rule? p0f, Nmap or Recog
Was this JA3 observed in malware samples? SSLBL or VirusTotal
Which device class fits DHCP and other network evidence? Fingerbank
How should a structured fingerprint database be modelled? Mercury resource schema

Before using any label for enforcement, apply the checklist in How to Evaluate a Fingerprint Database. The underlying categories are explained in What Is a Network Fingerprint Database?.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.