Support FAQ

What Is a Network Fingerprint Database?

Back to learning

A network fingerprint database stores information that helps interpret an observed protocol fingerprint. That definition is deliberately broad. Public resources called “fingerprint databases” do not all contain the same kind of data or support the same decisions.

One may map a JA4 value to a browser library. Another may record how often an unlabelled TLS fingerprint appeared. A third may contain rules for matching an operating-system TCP stack. A malware feed may list JA3 hashes observed in sandbox captures. All four are useful, but their labels mean different things.

The first question should therefore be: what kind of database is this?

Fingerprint mapping databases

A mapping database associates a fingerprint with one or more labels:

fingerprint
  -> application
  -> library
  -> operating system
  -> device
  -> supporting observations

FoxIO's public JA4 sample mapping, the archived Salesforce JA3 lists, Trisul's ja3prints, and the historical FingerprinTLS database fit this category.

The difficult part is not storing the hash. It is establishing the label. A trustworthy mapping needs evidence that is independent of the fingerprint itself: a controlled client run, endpoint process telemetry, reviewed source capture, sandbox execution or another auditable source.

Even then, the mapping is usually many-to-many. Shared libraries cause different applications to produce the same fingerprint. One application may produce several fingerprints after a software update or configuration change.

Prevalence observatories

A prevalence observatory records what appeared on monitored networks and how often. It may store:

  • first and last seen;
  • total observation count;
  • counts by collection source;
  • parsed cipher, extension or transport-parameter fields;
  • an implementation label when one is available.

The current TLS Fingerprint Observatory is the clearest public example. It exposes more than a million distinct TLS fingerprints and billions of observations through its API, but almost none of its TLS entries currently have application labels. Its smaller QUIC collection has more controlled labels.

That makes it useful for novelty, prevalence and longitudinal research. It does not make it a general application-identification database. Counts from its university and research-network vantage points should not be presented as global client market share.

Matcher and signature corpora

Some databases contain rules rather than observed fingerprint-to-label rows.

The passive p0f corpus describes TCP, MTU and HTTP traits. The Nmap OS database describes how operating systems respond to a suite of active probes. Nmap service probes match service responses and banners. Rapid7 Recog uses XML rules to identify products and devices from SSH, HTTP, SNMP, JARM, favicon and other observations.

These are executable rule collections. A match means that the observed response satisfied a signature. It does not mean the database measured how common that response is or that no other implementation can produce it.

Threat feeds

A threat feed records fingerprints seen in malicious or suspicious material.

SSLBL's JA3 blacklist was built by analysing millions of PCAPs generated by malware samples. Its downloadable CSV includes the JA3 hash, first seen, last seen and listing reason.

SSLBL also publishes the warning that matters: the values were not tested against known-good traffic and may produce substantial false positives. A listed JA3 means that malware samples produced that handshake. It does not mean every program with the same JA3 is that malware.

VirusTotal provides JA3, JA3S and JA4 pivots around sandboxed files. Those pivots can connect samples that share network behaviour, but VirusTotal notes that they may share a malware family, a developer or simply a common TLS library. It is a gated investigation service, not an open bulk application database. See VirusTotal's JA4 search explanation.

Hosted classification services

Some resources expose a database through an account or API rather than publishing the underlying dataset.

JA4DB maps several JA4-family methods to applications and detection guidance. Fingerbank combines DHCP fingerprints, user agents, MAC/OUI information, mDNS services and destination hosts to classify devices.

These can provide current and useful results. They should not automatically be described as open databases. Access terms, export rights, confidence calibration and per-record provenance may differ from the licences covering the underlying fingerprint algorithms.

Public format, private labels

Cisco Mercury illustrates another model. The Mercury repository publishes the collector, Network Protocol Fingerprinting format and database schema. Its resource model can map fingerprints to process counts, operating systems and destinations, then use that information in a destination-context classifier.

The production Cisco-labelled knowledge base is not included in the public repository. Mercury is therefore a public format and analysis implementation with a documented database contract—not a public application-label database. How destination context changes TLS attribution explains that boundary.

What a database label means

Read the label according to its source:

Source Defensible interpretation
Controlled client capture This known implementation produced this fingerprint under the recorded conditions
Endpoint process join This process was associated with this network flow under the join rules
Passive prevalence observation This fingerprint appeared at this vantage point this many times
Signature match The response satisfied these matching rules
Malware sandbox feed One or more analysed malware samples produced this fingerprint
Community submission A contributor asserted this mapping; review and evidence quality may vary

None of those statements is equivalent to “this fingerprint uniquely identifies this application.”

For a comparison of the main public resources, see Public Network Fingerprint Databases and What They Cover. For a quality checklist, see How to Evaluate a Fingerprint Database.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.