<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Cisco Mercury</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/cisco-mercury.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-09-06T09:00:00+10:00</updated><entry><title>What an Open Network Fingerprint Database Should Publish</title><link href="https://www.peakhour.io/blog/open-network-fingerprint-database-schema/" rel="alternate"></link><published>2026-09-06T09:00:00+10:00</published><updated>2026-09-06T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-09-06:/blog/open-network-fingerprint-database-schema/</id><summary type="html">&lt;p&gt;A useful open fingerprint database needs provenance, competing labels, raw evidence, format versions and licences—not another unexplained hash list.&lt;/p&gt;</summary><content type="html">&lt;p&gt;An open fingerprint database should let another researcher disagree with it.&lt;/p&gt;
&lt;p&gt;That requires more than a hash and an application name. The row needs to show which bytes produced the fingerprint, how the label was established, where the traffic was observed, which software generated the value and what competing explanations remain plausible.&lt;/p&gt;
&lt;p&gt;Most public databases were built for a narrower purpose. Historical JA3 lists made values easy to share. Threat feeds made malware observations easy to match. Nmap and p0f made signature rules executable. TLS observatories count what appears at their vantage points. Those are sensible designs for their jobs.&lt;/p&gt;
&lt;p&gt;They do not yet add up to a reusable open ground-truth corpus.&lt;/p&gt;
&lt;h2&gt;Start with observations, not verdicts&lt;/h2&gt;
&lt;p&gt;The fundamental database object should be an observation:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observation_id&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observed_at&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;2026-07-12T00:00:00Z&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;capture&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;position&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;client-facing edge&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;collector&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;mercury&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;collector_revision&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;3172786...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;controlled-client-run&amp;quot;&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;fingerprints&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;labels&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;evidence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;licence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The observation can then carry several fingerprint methods and several candidate labels. This is safer than making the hash the primary truth and forcing one application name into the same row.&lt;/p&gt;
&lt;h2&gt;Store the reversible material&lt;/h2&gt;
&lt;p&gt;Each fingerprint entry should contain the published identifier and the material used to derive it:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;method&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;ja4&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;implementation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;FoxIO Python&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;implementation_revision&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;t12d2709h2_..._...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;raw_value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;t12d2709h2_002f,...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source_message_digest&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;sha256:...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;truncated&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;For JA3, retain the five-part source string beside the MD5. For JA4, retain &lt;code&gt;JA4_r&lt;/code&gt; where collection policy permits it. For Mercury, retain the complete versioned NPF string rather than only its hash nickname. For HASSH, retain the algorithm lists. For a matcher rule, retain the response bytes or sanitised fixture that satisfied it.&lt;/p&gt;
&lt;p&gt;This permits field-level comparison, implementation testing and migration when a definition changes. It also exposes incompatible values hidden behind a common field name.&lt;/p&gt;
&lt;h2&gt;Make labels many-to-many&lt;/h2&gt;
&lt;p&gt;Labels should be separate evidence-backed assertions:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;type&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;process&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;example-client&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;version&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;1.2.3&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;endpoint-telemetry-join&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;review_state&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;reviewed&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;confidence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;0.94&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;first_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;last_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;One fingerprint can have several process labels because applications share libraries. One process can have several fingerprints because versions, platforms and configurations differ. The schema should preserve counts and conflict instead of selecting one winner during ingestion.&lt;/p&gt;
&lt;p&gt;Cisco Mercury's public &lt;a href="https://github.com/cisco/mercury/blob/main/doc/resources.md"&gt;resource schema&lt;/a&gt; points in this direction: fingerprint entries contain candidate processes, observation counts, operating systems and destinations. The production database is private, but the many-to-many model is the right starting point.&lt;/p&gt;
&lt;h2&gt;Describe how ground truth was produced&lt;/h2&gt;
&lt;p&gt;Use a controlled vocabulary for evidence sources:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;controlled_capture
endpoint_process_join
malware_sandbox
reviewed_pcap
active_probe_match
passive_observation
community_submission
derived_from_external_database
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Each type needs its own metadata. An endpoint join should record the join window and ambiguity rules. A controlled capture should name the client build, operating system and generation script. A malware sandbox label should identify the sample and distinguish the sandbox process from the malware process. A community submission should identify what a reviewer actually checked.&lt;/p&gt;
&lt;p&gt;Derived labels should never masquerade as independent evidence. If a mapping was imported from an older JA3 list, cite that row and keep its original uncertainty.&lt;/p&gt;
&lt;h2&gt;Separate prevalence from classification&lt;/h2&gt;
&lt;p&gt;Prevalence belongs in observation aggregates:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;university-vantage-a&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;first_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;last_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;count&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;184233&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It should not silently increase application-label confidence. A common fingerprint is not necessarily well-labelled; a rare fingerprint is not necessarily suspicious.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://tlsfingerprint.io/"&gt;TLS Fingerprint Observatory&lt;/a&gt; demonstrates the value of publishing counts even when labels are missing. Its large unlabelled TLS corpus is more useful for prevalence research than a catalogue filled with guesses.&lt;/p&gt;
&lt;h2&gt;Represent threat observations explicitly&lt;/h2&gt;
&lt;p&gt;A malware feed should attach an observation, not overwrite the fingerprint's identity:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;type&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;malware-sandbox-observation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;family&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;example-family&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;sample_sha256&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observed_at&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;known_good_evaluation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;not-performed&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This retains the warning published by sources such as &lt;a href="https://sslbl.abuse.ch/blacklist/"&gt;SSLBL&lt;/a&gt;. It allows a consumer to ask whether a fingerprint was seen in malware without treating every matching benign process as infected.&lt;/p&gt;
&lt;h2&gt;Publish validation sets and negative evidence&lt;/h2&gt;
&lt;p&gt;A useful database should include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;controlled positive captures;&lt;/li&gt;
&lt;li&gt;known-good observations that share supposedly malicious fingerprints;&lt;/li&gt;
&lt;li&gt;deliberately conflicting labels;&lt;/li&gt;
&lt;li&gt;client upgrades that changed fingerprints;&lt;/li&gt;
&lt;li&gt;malformed and truncated handshakes;&lt;/li&gt;
&lt;li&gt;captures before and after a TLS-terminating proxy;&lt;/li&gt;
&lt;li&gt;implementation conformance cases.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Negative and conflicting evidence is not database dirt. It tells consumers where a label stops working.&lt;/p&gt;
&lt;h2&gt;Version the data and the interpretation&lt;/h2&gt;
&lt;p&gt;Every release should state:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;schema version;&lt;/li&gt;
&lt;li&gt;database snapshot identifier;&lt;/li&gt;
&lt;li&gt;fingerprint implementation revisions;&lt;/li&gt;
&lt;li&gt;collection time range;&lt;/li&gt;
&lt;li&gt;label additions, removals and merges;&lt;/li&gt;
&lt;li&gt;retired mappings;&lt;/li&gt;
&lt;li&gt;licence changes;&lt;/li&gt;
&lt;li&gt;reproducible validation results.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Consumers should be able to pin a snapshot and explain which database caused a decision. A live service may remain convenient, but an incident review needs the state that existed when the event was classified.&lt;/p&gt;
&lt;h2&gt;Make licensing part of the schema&lt;/h2&gt;
&lt;p&gt;Fingerprint method, implementation and dataset rights are separate.&lt;/p&gt;
&lt;p&gt;Core JA4 is BSD-licensed. Other JA4+ methods use different FoxIO terms. Nmap's data files use the Nmap Public Source License. A combined historical repository may contain rows imported under different licences. An API may permit lookup but prohibit bulk redistribution.&lt;/p&gt;
&lt;p&gt;Store a licence or source-rights reference for each imported dataset and, where necessary, each record. If the rights are unclear, publish a pointer and transformation recipe rather than republishing the row.&lt;/p&gt;
&lt;h2&gt;Provide a confidence model that can be audited&lt;/h2&gt;
&lt;p&gt;A score without calibration is decoration. For each label type, document:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;what the score estimates;&lt;/li&gt;
&lt;li&gt;the labelled validation set;&lt;/li&gt;
&lt;li&gt;true-positive and false-positive definitions;&lt;/li&gt;
&lt;li&gt;treatment of unseen applications;&lt;/li&gt;
&lt;li&gt;time and environment holdouts;&lt;/li&gt;
&lt;li&gt;how conflicts and stale observations affect the score.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Where calibration is unavailable, use review states such as &lt;code&gt;submitted&lt;/code&gt;, &lt;code&gt;reproduced&lt;/code&gt;, &lt;code&gt;reviewed&lt;/code&gt; and &lt;code&gt;contested&lt;/code&gt; instead of inventing numeric precision.&lt;/p&gt;
&lt;h2&gt;The minimum viable open record&lt;/h2&gt;
&lt;p&gt;If full packet evidence cannot be published, a useful minimum is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;method and rule version
implementation revision
compact and raw fingerprint
candidate label, including version/platform
ground-truth method
capture position
first and last seen
observation count
confidence or review state
evidence reference
licence
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;That is more expensive than a CSV containing &lt;code&gt;hash,name&lt;/code&gt;. It is also what makes the mapping useful outside the environment and assumptions of its original collector.&lt;/p&gt;
&lt;p&gt;The public ecosystem already contains most of the parts: JA4DB's cross-method model, the TLS observatory's prevalence data, Mercury's candidate-process and destination schema, FingerprinTLS's retained ClientHello fields, and executable fixtures in matcher projects such as Rapid7 Recog. The missing step is to combine those strengths without erasing provenance.&lt;/p&gt;
&lt;p&gt;For the current resource landscape, see &lt;a href="/learning/fingerprinting/public-network-fingerprint-databases/"&gt;Public Network Fingerprint Databases and What They Cover&lt;/a&gt;. For the import checklist, see &lt;a href="/learning/fingerprinting/how-to-evaluate-a-fingerprint-database/"&gt;How to Evaluate a Network Fingerprint Database&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="Network Fingerprinting"></category><category term="TLS Fingerprinting"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Security Research"></category></entry><entry><title>Does TLS Fingerprint Canonicalisation Hide Attacker Variation? How to Test It</title><link href="https://www.peakhour.io/blog/tls-fingerprint-canonicalisation-attacker-variation/" rel="alternate"></link><published>2026-08-16T09:00:00+10:00</published><updated>2026-08-16T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-16:/blog/tls-fingerprint-canonicalisation-attacker-variation/</id><summary type="html">&lt;p&gt;Sorting makes TLS fingerprints more stable, but it also removes ordering evidence. Here is how to test whether the discarded variation matters.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Canonicalisation solves a real problem in TLS fingerprinting. If two ClientHello messages differ only because a client shuffled its extensions, treating them as unrelated fingerprints creates noise. Sorting those extensions puts the messages back into one cohort.&lt;/p&gt;
&lt;p&gt;It also destroys the original order.&lt;/p&gt;
&lt;p&gt;That is not automatically a mistake. A fingerprint is useful partly because it ignores variation that does not help with the job at hand. The unanswered question is whether some of the discarded variation separates ordinary client behaviour from automation, scanners or deliberate evasion.&lt;/p&gt;
&lt;p&gt;Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one-ClientHello lab&lt;/a&gt; cannot answer that. It proves that three pinned implementations produce recorded representations from the same bytes. It says nothing about a population of clients or attackers. Answering the canonicalisation question needs a corpus and a labelled experiment.&lt;/p&gt;
&lt;h2&gt;What gets collapsed?&lt;/h2&gt;
&lt;p&gt;JA3 removes GREASE values but otherwise preserves the order of the selected cipher, extension, supported-group and point-format lists. Change one of those ordered inputs and the MD5 digest changes.&lt;/p&gt;
&lt;p&gt;JA4 deliberately defines a broader equivalence class. Its canonical &lt;code&gt;b&lt;/code&gt; section hashes sorted cipher identifiers. Its &lt;code&gt;c&lt;/code&gt; section hashes sorted extension identifiers followed by signature algorithms in their advertised order. SNI and ALPN extension codes are omitted from that list because related information is represented in the readable &lt;code&gt;a&lt;/code&gt; section. FoxIO's &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;JA4 specification&lt;/a&gt; documents those choices.&lt;/p&gt;
&lt;p&gt;Cisco Mercury makes the rule version visible. In the current &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt;, the older unversioned TLS format retains extension order, &lt;code&gt;tls/1&lt;/code&gt; sorts all represented extensions, and &lt;code&gt;tls/2&lt;/code&gt; sorts selected extensions while applying more specific inclusion and normalisation rules.&lt;/p&gt;
&lt;p&gt;These methods do not merely encode the same fingerprint differently. They define different ideas of “the same”.&lt;/p&gt;
&lt;h2&gt;Why Chrome forced the issue&lt;/h2&gt;
&lt;p&gt;Chrome's extension permutation rollout showed why order-sensitive identifiers can become operationally brittle. Peakhour's &lt;a href="/blog/tls-extension-randomisation/"&gt;2023 analysis&lt;/a&gt; recorded a sharp rise in unique order-sensitive signatures after the change. The browser family had not suddenly split into thousands of independent TLS implementations. Much of the new variation came from ordering.&lt;/p&gt;
&lt;p&gt;Sorting is an effective response if the goal is to recover the implementation cohort. It is also consistent with &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;Chrome's stated reason for making the change&lt;/a&gt;: servers and middleboxes should not depend on one fixed extension order.&lt;/p&gt;
&lt;p&gt;But an analyst may have another question. Does a tool permute extensions using the same mechanism and constraints as the browser it imitates? Does a scanner generate an ordering distribution that differs from Chrome's? Does malware preserve the static order supplied by its TLS library while claiming a Chrome user agent?&lt;/p&gt;
&lt;p&gt;A canonical JA4 can group those handshakes even when their ordering behaviour differs. That is expected. JA4 answered the cohort question, not every possible behavioural question.&lt;/p&gt;
&lt;h2&gt;The wrong experiment&lt;/h2&gt;
&lt;p&gt;Counting how many unique raw fingerprints map to one canonical fingerprint is a useful descriptive statistic. It is not, by itself, evidence that canonicalisation weakened detection.&lt;/p&gt;
&lt;p&gt;A common browser with extension permutation should produce many raw orders. A large raw-to-canonical ratio may therefore be evidence of normal deployment scale. Calling every collapsed value a loss of “fidelity” assumes that all variation was useful before the test has measured its relationship with any outcome.&lt;/p&gt;
&lt;p&gt;The reverse shortcut is also wrong. Stable canonical values do not prove that sorting is harmless for every detector. A field can be poor for application identification but useful for distinguishing one implementation path, library version or evasion technique.&lt;/p&gt;
&lt;p&gt;The experiment needs labels and a defined decision.&lt;/p&gt;
&lt;h2&gt;A testable study design&lt;/h2&gt;
&lt;p&gt;We would structure the study around observations, transformations and outcomes.&lt;/p&gt;
&lt;h3&gt;1. Preserve the original ClientHello&lt;/h3&gt;
&lt;p&gt;Store the permitted raw handshake metadata or a reversible representation alongside derived identifiers. Record:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;capture point and TLS termination path;&lt;/li&gt;
&lt;li&gt;sensor implementation and revision;&lt;/li&gt;
&lt;li&gt;timestamp and software-release period;&lt;/li&gt;
&lt;li&gt;JA3 source string and digest;&lt;/li&gt;
&lt;li&gt;JA4, &lt;code&gt;JA4_r&lt;/code&gt;, &lt;code&gt;JA4_o&lt;/code&gt; and &lt;code&gt;JA4_ro&lt;/code&gt; where the implementation provides them;&lt;/li&gt;
&lt;li&gt;a full, versioned Mercury NPF string;&lt;/li&gt;
&lt;li&gt;HTTP and browser claims kept separate from the TLS representation.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Without the raw or reversible material, a later study cannot recover the ordering that canonicalisation removed.&lt;/p&gt;
&lt;h3&gt;2. Define labels that do not come from the fingerprint&lt;/h3&gt;
&lt;p&gt;Labels need an independent source. Depending on the environment, that could include controlled browser runs, endpoint process telemetry, sandbox execution, signed test clients or reviewed incident cases.&lt;/p&gt;
&lt;p&gt;Do not label traffic as Chrome because its JA4 resembles Chrome and then report that JA4 identifies Chrome. That is circular evaluation.&lt;/p&gt;
&lt;p&gt;Cisco's destination-context research used joined endpoint and network observations to build process labels. The paper also discusses how sandbox and environment choices affect the resulting knowledge base. &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt; is useful here because it treats ground truth as a system component rather than a list of famous hashes.&lt;/p&gt;
&lt;h3&gt;3. Compare representations at the same grouping level&lt;/h3&gt;
&lt;p&gt;Measure at least:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;raw ordered representation;&lt;/li&gt;
&lt;li&gt;canonical JA4;&lt;/li&gt;
&lt;li&gt;useful JA4 component combinations such as &lt;code&gt;JA4_ac&lt;/code&gt;;&lt;/li&gt;
&lt;li&gt;Mercury rule versions that preserve or sort different structures;&lt;/li&gt;
&lt;li&gt;raw ordering features added beside the canonical value.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The comparison should use the same captures, time split and labels. Otherwise a newer fingerprint method can appear better simply because it was evaluated on newer or cleaner data.&lt;/p&gt;
&lt;h3&gt;4. Use time and environment holdouts&lt;/h3&gt;
&lt;p&gt;Randomly splitting individual connections leaks near-duplicates between training and test data. Prefer a forward time split and, where possible, a separate network or capture environment.&lt;/p&gt;
&lt;p&gt;That exposes two operational questions: does the result survive a browser or library update, and does it survive outside the environment where the labels were collected?&lt;/p&gt;
&lt;h3&gt;5. Measure decisions, not just uniqueness&lt;/h3&gt;
&lt;p&gt;Useful measurements include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;collision and fragmentation rates by independently labelled client;&lt;/li&gt;
&lt;li&gt;precision and recall for a stated classification or detection task;&lt;/li&gt;
&lt;li&gt;false-positive rates on high-volume legitimate cohorts;&lt;/li&gt;
&lt;li&gt;stability across software releases;&lt;/li&gt;
&lt;li&gt;the incremental value of raw order after canonical identifiers and context are already present;&lt;/li&gt;
&lt;li&gt;review volume at an actual alert or policy threshold.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If adding original order improves a classifier by a tiny amount but creates millions of unstable keys, the operational cost may outweigh the gain. If it separates a specific impersonation technique with few false positives, keeping it as a secondary feature may be worthwhile.&lt;/p&gt;
&lt;h2&gt;Keep both when the questions differ&lt;/h2&gt;
&lt;p&gt;The design choice does not have to be raw or canonical.&lt;/p&gt;
&lt;p&gt;A compact canonical identifier is useful for grouping, counters, joins and rules. A raw or reversible representation is useful for investigation, feature research and migration when the canonical rules change. Storage policy can keep the compact value broadly and retain detailed material for a bounded sample, selected security events or an approved research window.&lt;/p&gt;
&lt;p&gt;That split also makes detector claims easier to audit. The rule can say it grouped on JA4 while the event retains enough source material to explain which handshake produced the value.&lt;/p&gt;
&lt;h2&gt;What we can say now&lt;/h2&gt;
&lt;p&gt;Sorting removes ordering information. It reduces fragmentation caused by clients that permute their lists. Both statements follow from the format definitions and can be demonstrated with controlled captures.&lt;/p&gt;
&lt;p&gt;Whether the removed order contains useful attacker variation is an empirical question tied to a dataset, capture point, label source and decision. Until that study is run, the honest position is to preserve the evidence needed to test it and avoid turning either uniqueness or stability into a claim of detection accuracy.&lt;/p&gt;
&lt;p&gt;For the wider format comparison, see &lt;a href="/learning/fingerprinting/mercury-vs-ja4-vs-ja3/"&gt;Mercury vs JA4 vs JA3&lt;/a&gt;. For the identity boundary that applies to every result, read &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Security Research"></category></entry><entry><title>A Network Fingerprint Is a Cohort, Not a Client</title><link href="https://www.peakhour.io/blog/fingerprint-is-a-cohort-not-a-client/" rel="alternate"></link><published>2026-08-09T09:00:00+10:00</published><updated>2026-08-09T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-09:/blog/fingerprint-is-a-cohort-not-a-client/</id><summary type="html">&lt;p&gt;TLS fingerprints group similar protocol implementations. They do not prove which application, device or person made a request.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A TLS fingerprint usually tells you that two connections look alike under a particular set of rules. That is useful. It is not the same as showing that they came from the same client.&lt;/p&gt;
&lt;p&gt;The distinction becomes obvious when a common TLS library sits underneath many programs. Those programs can offer the same protocol version, cipher suites, extensions and signature algorithms. A fingerprint built from those fields groups them together even though their purpose, owner and risk are different.&lt;/p&gt;
&lt;p&gt;The reverse also happens. One application can generate several fingerprints after a browser update, operating-system change, feature rollout or configuration difference. A fixed application name does not imply a fixed ClientHello.&lt;/p&gt;
&lt;p&gt;The safest mental model is a cohort: traffic that looks the same after a fingerprint method has selected and normalised its inputs.&lt;/p&gt;
&lt;h2&gt;The method defines the cohort&lt;/h2&gt;
&lt;p&gt;JA3 preserves the order of its selected ClientHello feature lists. Change the order and the MD5 value changes. JA4 sorts selected identifiers before calculating two of its components, so permutations that split a JA3 cohort may remain grouped under JA4.&lt;/p&gt;
&lt;p&gt;Cisco Mercury can preserve more packet-derived structure in its full Network Protocol Fingerprint. Different Mercury rule versions also make different normalisation choices. A &lt;code&gt;tls/2&lt;/code&gt; value is therefore not just a longer spelling of JA4. It is the result of another feature-selection contract.&lt;/p&gt;
&lt;p&gt;This means there is no format-independent "real fingerprint" hiding underneath the tools. Each method answers its own equivalence question: which differences count, and which should be ignored?&lt;/p&gt;
&lt;p&gt;Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-PCAP lab&lt;/a&gt; demonstrates that point without relying on a hypothetical browser. The three tools inspect the same ClientHello and produce representations with different retained detail.&lt;/p&gt;
&lt;h2&gt;Common does not mean safe&lt;/h2&gt;
&lt;p&gt;A popular browser fingerprint will naturally appear in a great deal of legitimate traffic. An attacker can also use a browser, drive one through automation, or imitate its TLS stack. Matching a common browser value therefore says little about intent by itself.&lt;/p&gt;
&lt;p&gt;The opposite shortcut is just as risky. An uncommon fingerprint is not proof of malware. Internal tools, older mobile applications, embedded devices, accessibility software and regional client variants can all be rare in one dataset.&lt;/p&gt;
&lt;p&gt;Rarity is relative to the observation point. A fingerprint that is common across a public content site may be unusual on an administrative API. A value common in one country, network or month may be rare in another.&lt;/p&gt;
&lt;h2&gt;Capture point changes what you see&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting only works where the relevant handshake is visible. At an origin behind a CDN or reverse proxy, the TLS connection may have been terminated and replaced upstream. The origin can then observe the proxy's connection rather than the end user's ClientHello unless the edge explicitly forwards a derived fingerprint.&lt;/p&gt;
&lt;p&gt;That forwarded value also needs provenance. Operators should know which implementation and format version produced it, whether it came from the client-facing connection, and whether middleware transformed or sampled the traffic.&lt;/p&gt;
&lt;p&gt;Without that information, two values that look compatible may have been generated under different rules. Fastly has documented how implementation differences can undermine the portability promised by a shared hash in &lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;The State of TLS Fingerprinting&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Context can improve an inference&lt;/h2&gt;
&lt;p&gt;Cisco's Mercury research is helpful because it does not hide the ambiguity. The 2020 destination-context paper reports that one TLS fingerprint often maps to tens or hundreds of process names. Its classifier adds destination IP address, port and server name, backed by a labelled knowledge base, to rank the possible processes.&lt;/p&gt;
&lt;p&gt;That is stronger than treating a bare fingerprint as an application name. It is still conditional. Change the environment, the age of the knowledge base, the available destination fields or the software population and the probabilities can change. The paper's reported accuracy belongs to its datasets and experimental design, not to every network that runs Mercury.&lt;/p&gt;
&lt;p&gt;JA4 deployments often add context too. A security platform might combine the JA4 value with request rate, geography, path, account state or observations from other customers. Those extra fields are not secretly part of JA4. They are features in the surrounding detection system.&lt;/p&gt;
&lt;h2&gt;Use fingerprints where grouping helps&lt;/h2&gt;
&lt;p&gt;Fingerprints earn their place when grouping similar connections improves an investigation or control. Examples include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;counting login failures across rotating IP addresses;&lt;/li&gt;
&lt;li&gt;finding a TLS stack that appeared at the start of an incident;&lt;/li&gt;
&lt;li&gt;comparing a claimed browser with HTTP and browser-side evidence;&lt;/li&gt;
&lt;li&gt;monitoring drift after a client or library release;&lt;/li&gt;
&lt;li&gt;selecting traffic for review before writing a narrower rule.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For the decision and enforcement consequences, see &lt;a href="/blog/fingerprints-are-evidence-not-identity/"&gt;Fingerprints are evidence, not identity&lt;/a&gt;. The protocol-specific conclusion here is narrower: a matching TLS fingerprint places connections in a cohort defined by one method. It cannot tell you, on its own, who is on the other end.&lt;/p&gt;
&lt;p&gt;The practitioner follow-up, &lt;a href="/blog/using-network-fingerprints-in-bot-and-rate-limit-decisions/"&gt;Using network fingerprints in bot and rate-limit decisions&lt;/a&gt;, turns that boundary into a route-scoped policy and rollback model.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>From Joy to Mercury and EVE: Following Cisco's Network Fingerprinting Work</title><link href="https://www.peakhour.io/blog/from-joy-to-mercury-and-eve/" rel="alternate"></link><published>2026-08-02T09:00:00+10:00</published><updated>2026-08-02T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-02:/blog/from-joy-to-mercury-and-eve/</id><summary type="html">&lt;p&gt;Cisco's open-source collectors, fingerprinting research and Encrypted Visibility Engine form a clear lineage, but they are not interchangeable parts of one public system.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Cisco's network fingerprinting work is often compressed into a neat product story: Joy became Mercury, and Mercury became the Encrypted Visibility Engine. There is a real lineage here, but that sentence hides more than it explains.&lt;/p&gt;
&lt;p&gt;Joy and Mercury are public software projects. Network Protocol Fingerprinting is a representation. The 2020 destination-context paper describes a classification system and the data needed to support it. EVE is a Cisco Secure Firewall capability backed by Cisco's operational data and machine-learning systems.&lt;/p&gt;
&lt;p&gt;Those pieces share ideas, authors and engineering history. They are not four names for the same thing.&lt;/p&gt;
&lt;h2&gt;Joy started with flow records, then looked inside them&lt;/h2&gt;
&lt;p&gt;Cisco released &lt;a href="https://github.com/cisco/joy"&gt;Joy&lt;/a&gt; as a BSD-licensed tool for collecting network flow and &lt;em&gt;intraflow&lt;/em&gt; data from live traffic or PCAP files. Its basic unit was recognisable to anyone who had worked with NetFlow or IPFIX: a flow with addresses, ports and counters. Joy then added observations from within that flow.&lt;/p&gt;
&lt;p&gt;Those observations included packet lengths and arrival times, byte distributions, TLS record sequences, visible TLS handshake fields, DNS data and selected HTTP fields. It wrote the results as JSON so researchers could feed them into analysis tools without building a packet parser first.&lt;/p&gt;
&lt;p&gt;That breadth matters. Joy was not originally just a ClientHello hash generator. It was a network-research instrument for asking what could still be learned from traffic when the application payload was encrypted.&lt;/p&gt;
&lt;p&gt;The research around Joy shows how Cisco used it. The 2016 paper &lt;a href="https://arxiv.org/abs/1607.01639"&gt;Deciphering Malware's Use of TLS (without Decryption)&lt;/a&gt; combined conventional flow measurements, packet-length and timing sequences, byte distributions and visible TLS handshake features. Its authors were interested in malware detection and family attribution, but they were also explicit about dataset bias. A sandbox operating system or its default TLS library could become an accidental shortcut for the classifier.&lt;/p&gt;
&lt;p&gt;In 2017, &lt;a href="https://arxiv.org/abs/1706.08003"&gt;OS Fingerprinting: New Techniques and a Study of Information Gain and Obfuscation&lt;/a&gt; used an extended Joy collector to record features from TCP SYN packets, TLS ClientHello messages and HTTP requests. The study combined evidence across protocols and sessions rather than expecting one handshake to provide a definitive operating-system label.&lt;/p&gt;
&lt;p&gt;The enduring idea was broader than any one model: retain useful network observations, join them to trustworthy labels where possible, and test what the combined evidence can support.&lt;/p&gt;
&lt;h2&gt;Mercury narrowed and hardened the collection path&lt;/h2&gt;
&lt;p&gt;The Joy repository now directs readers to Mercury for Cisco's more recent fingerprinting tools and data. &lt;a href="https://github.com/cisco/mercury"&gt;Mercury&lt;/a&gt; carries forward the packet-metadata and JSON-output model, but it is a separate implementation with a stronger focus on fast capture, protocol fingerprints and online analysis.&lt;/p&gt;
&lt;p&gt;The public repository contains a C++ application and library, along with the portable Python implementation &lt;code&gt;pmercury&lt;/code&gt;. Mercury can read PCAPs or live traffic, identify supported protocols and emit selected metadata. On Linux, its native collector uses the kernel's &lt;code&gt;AF_PACKET&lt;/code&gt; &lt;code&gt;TPACKETv3&lt;/code&gt; path and multiple workers. The repository describes use in some production applications, while still asking users to treat the open software as beta.&lt;/p&gt;
&lt;p&gt;Mercury also makes a useful boundary visible in its JSON:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;packet
  -&amp;gt; protocol metadata
  -&amp;gt; fingerprint object
  -&amp;gt; optional destination-context analysis
  -&amp;gt; analysis object
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The fingerprint is an observation. The analysis is an inference made from that observation and other data. They should not be collapsed into one label.&lt;/p&gt;
&lt;h2&gt;NPF is the representation, not the classifier&lt;/h2&gt;
&lt;p&gt;Mercury's fingerprints use Cisco's Network Protocol Fingerprinting format. NPF selects characteristic fields from an initial protocol message, normalises values that should not distinguish implementations, and writes the retained structure as a tree of hexadecimal byte strings.&lt;/p&gt;
&lt;p&gt;A full TLS fingerprint can therefore be inspected. Its &lt;code&gt;tls/2&lt;/code&gt; prefix identifies the protocol and rule version; parentheses and brackets preserve the selected tree structure and sorting decisions. Mercury can also use a compact hash nickname when fixed-length storage is more useful than inspection.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; covers more than TLS. It documents rules for protocols including QUIC, TCP, HTTP, SSH, STUN and OpenVPN. This is one point at which the Joy heritage remains visible: the project treats protocol evidence as a network-wide problem, not solely as a way to name TLS clients.&lt;/p&gt;
&lt;p&gt;Our guide to &lt;a href="/learning/fingerprinting/what-is-cisco-mercury-fingerprinting/"&gt;Cisco Mercury fingerprinting&lt;/a&gt; separates the collector, NPF representation, knowledge base and classifier in more detail. &lt;a href="/learning/fingerprinting/inside-mercury-npf-fingerprint/"&gt;Inside a Mercury NPF fingerprint&lt;/a&gt; works through the full notation.&lt;/p&gt;
&lt;h2&gt;The 2020 paper made the attribution problem explicit&lt;/h2&gt;
&lt;p&gt;A fingerprint is useful for grouping similar protocol implementations. It is often a poor application name.&lt;/p&gt;
&lt;p&gt;Blake Anderson and David McGrew quantified that problem in &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt;. TLS libraries are shared. Common fingerprints can map to tens or hundreds of processes. A dictionary that assigns one process name to one fingerprint will therefore produce convincing-looking false positives.&lt;/p&gt;
&lt;p&gt;The paper added three destination features to the TLS fingerprint: destination address, destination port and the TLS server name, when present. A weighted naive Bayes classifier used those features and prevalence counts from a labelled knowledge base to rank candidate processes.&lt;/p&gt;
&lt;p&gt;The knowledge base was the difficult part. The researchers joined network observations to endpoint process data, generated fresh knowledge bases daily and merged them into an operational view. They also used malware-sandbox observations. The paper describes billions of connections, a changing population of fingerprints and destinations, and the need to discard stale data.&lt;/p&gt;
&lt;p&gt;Its reported results were strong, including a process-family F1 score above 0.99 and high precision and recall for the malware task. Those figures belong to the paper's datasets and evaluation. They are not an accuracy guarantee for a Mercury installation downloaded from GitHub.&lt;/p&gt;
&lt;p&gt;The authors also documented important limits: their endpoint data was dominated by desktop Windows and macOS systems, mobile and IoT coverage was absent, and most data came from one enterprise. They wrote that a site could build a custom knowledge base if it had suitable endpoint ground truth and network monitoring, but acknowledged the significant initial investment.&lt;/p&gt;
&lt;p&gt;That is the operational lesson. A classifier is not made current by having a good fingerprint format. It stays current through labelled collection, joining, curation, expiry and evaluation.&lt;/p&gt;
&lt;p&gt;For a closer reading, see &lt;a href="/learning/fingerprinting/destination-context-tls-attribution/"&gt;how destination context changes TLS attribution&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;EVE puts the research into a firewall product&lt;/h2&gt;
&lt;p&gt;Cisco describes its Encrypted Visibility Engine as work based on that earlier destination-context research. EVE first appeared in &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html"&gt;Secure Firewall 7.1&lt;/a&gt; as a disabled-by-default experimental beta for visibility only; it did not enforce actions and Cisco warned that it could produce false positives. The &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html"&gt;7.2 release notes&lt;/a&gt; say EVE began working with QUIC and allowed high-confidence process assignments to feed application policy. &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/730/threat-defense-release-notes-73.html"&gt;Version 7.3&lt;/a&gt; specifically added HTTP/3 and SMB-over-QUIC detection, along with indication-of-compromise events for unsafe applications.&lt;/p&gt;
&lt;p&gt;In Cisco's account of &lt;a href="https://blogs.cisco.com/security/how-eve-detects-malicious-uses-of-trustworthy-cloud-services"&gt;how EVE detects malicious use of trustworthy cloud services&lt;/a&gt;, the runtime inputs have the same recognisable shape:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;an NPF representing client-side protocol characteristics; and&lt;/li&gt;
&lt;li&gt;server context such as address, port and domain name.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;EVE uses machine learning over Cisco's labelled data to estimate the client process and detect suspicious encrypted traffic without decrypting its payload. Cisco says its training data is refreshed daily with network samples joined to endpoint ground truth, with additional malicious observations from Cisco Secure Malware Analytics.&lt;/p&gt;
&lt;p&gt;This is the clearest public link from NPF and the 2020 paper to the commercial system. It is also where careful wording matters most.&lt;/p&gt;
&lt;p&gt;The public Mercury repository is not a source release of the complete EVE service. Building Mercury does not provide Cisco's continuously collected production dataset, its current models, Secure Firewall integration, Talos context or product policy behaviour. Conversely, the fact that EVE uses NPF does not mean every detail of its current implementation is present in the open repository or frozen at the method described in the 2020 paper.&lt;/p&gt;
&lt;p&gt;Open code, published research and a maintained security product have different release cycles and different evidence behind them.&lt;/p&gt;
&lt;h2&gt;What the lineage actually establishes&lt;/h2&gt;
&lt;p&gt;There is a coherent progression:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;Joy
  broad flow and intraflow metadata for research

Mercury + NPF
  faster collection and versioned, multi-protocol fingerprints

2020 destination-context system
  fingerprints joined to destinations and endpoint labels

EVE
  Cisco-maintained classification in Secure Firewall
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This is a lineage of ideas and systems, not a promise that each box is a drop-in edition of the next one.&lt;/p&gt;
&lt;p&gt;Joy established a practical way to collect visible evidence around encrypted flows. Mercury made protocol fingerprinting a more explicit and efficient part of that collection. NPF gave those fingerprints a structured, versioned form. The destination-context work showed why labelled, continuously refreshed context was necessary for process attribution. EVE operationalised those ideas inside a commercial firewall environment with data and integrations that do not ship with the public collector.&lt;/p&gt;
&lt;p&gt;That history also explains why Cisco's branch of fingerprinting developed differently from JA3 and JA4. A portable hash is useful for logging and exchange. Cisco's work kept returning to a harder question: what additional evidence, labels and maintenance are required before a network observation can support a process assessment?&lt;/p&gt;
&lt;p&gt;Neither approach turns a handshake into identity. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;two lineages of TLS fingerprinting&lt;/a&gt; article places Cisco's work alongside JA3 and JA4. The reproducible &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one ClientHello, three fingerprints lab&lt;/a&gt; shows the format differences without relying on any vendor classification database.&lt;/p&gt;</content><category term="Security"></category><category term="Cisco Joy"></category><category term="Cisco Mercury"></category><category term="Encrypted Visibility Engine"></category><category term="TLS Fingerprinting"></category><category term="Network Fingerprinting"></category><category term="Encrypted Traffic"></category></entry><entry><title>Two Lineages of TLS Fingerprinting: JA3, JA4 and Cisco Mercury</title><link href="https://www.peakhour.io/blog/two-lineages-tls-fingerprinting/" rel="alternate"></link><published>2026-07-26T09:00:00+10:00</published><updated>2026-07-26T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-07-26:/blog/two-lineages-tls-fingerprinting/</id><summary type="html">&lt;p&gt;JA4 did not descend from Cisco Mercury. The two projects come from different strands of TLS fingerprinting research and solve different operational problems.&lt;/p&gt;</summary><content type="html">&lt;p&gt;It is tempting to draw the history of TLS fingerprinting as a single line: JA3, then JA4, with Cisco Mercury somewhere nearby. That version is tidy. It is also wrong.&lt;/p&gt;
&lt;p&gt;Two strands of work developed around the same observation: a TLS ClientHello exposes enough information to say something useful about the software that created it. One strand concentrated on portable identifiers that could be logged and exchanged. The other concentrated on retaining protocol structure and combining it with evidence that could improve classification.&lt;/p&gt;
&lt;p&gt;JA3 and JA4 belong mainly to the first strand. Cisco Mercury belongs mainly to the second. For the technical work that preceded JA3, see &lt;a href="/blog/before-ja3-tls-fingerprinting-history/"&gt;how TLS handshakes became fingerprints&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Before JA3&lt;/h2&gt;
&lt;p&gt;Passive fingerprinting predates TLS. Tools such as p0f identified operating-system characteristics from TCP/IP behaviour without sending probes to the target. Researchers later applied the same instinct to fields exposed during SSL and TLS negotiation.&lt;/p&gt;
&lt;p&gt;In 2009, Ivan Ristić published an &lt;a href="https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html"&gt;SSL handshake fingerprinting experiment&lt;/a&gt; that compared ClientHello messages from web clients. Marek Majkowski followed with a &lt;a href="https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/"&gt;TLS fingerprinting patch for p0f&lt;/a&gt; in 2012. Lee Brotherston's &lt;a href="https://github.com/LeeBrotherston/tls-fingerprinting"&gt;FingerprinTLS&lt;/a&gt; later provided tools and a database for creating and matching TLS fingerprints.&lt;/p&gt;
&lt;p&gt;Salesforce's JA3 project drew directly on that work. JA3 serialised five ordered ClientHello feature groups, removed GREASE values and calculated an MD5 digest. The result was compact enough to put in a log, share in threat intelligence or match in a rule. The &lt;a href="https://github.com/salesforce/ja3"&gt;archived JA3 repository&lt;/a&gt; documents both the format and its debt to FingerprinTLS.&lt;/p&gt;
&lt;p&gt;JA3's compactness came with a cost. A digest does not explain why two clients differ. Ordered inputs also meant that harmless permutation could produce a different value. Most importantly, a matching digest did not prove that the traffic came from one application. Programs built on a shared TLS library could produce the same ClientHello.&lt;/p&gt;
&lt;h2&gt;The JA4 branch&lt;/h2&gt;
&lt;p&gt;FoxIO introduced JA4 in 2023 after Chrome began permuting TLS extension order. Peakhour saw the practical effect of that change in our &lt;a href="/blog/tls-extension-randomisation/"&gt;Chrome extension-randomisation analysis&lt;/a&gt;: a representation that preserved extension order split one common browser family into a large number of values.&lt;/p&gt;
&lt;p&gt;JA4 canonicalises selected ClientHello features before hashing them. Its &lt;code&gt;a_b_c&lt;/code&gt; structure keeps a readable summary in the first section, a digest of sorted cipher identifiers in the second, and a digest derived from extensions and signature algorithms in the third. This makes the components useful independently. An analyst can group on part of a JA4 value without pretending every field is identical.&lt;/p&gt;
&lt;p&gt;That is deliberate lossy compression. JA4 is useful because it throws away distinctions its designers judged unstable or unhelpful for this job. It is not a reversible rendering of the ClientHello, and its truncated SHA-256 sections do not provide a measure of semantic distance. The exact format is set out in the &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;FoxIO JA4 technical specification&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;JA4 is one method. JA4+ is the name used for a wider family that includes server, HTTP, TCP, SSH, certificate and other fingerprints. Those methods do not all share JA4's licence, which matters if the fingerprints will be built into a commercial service.&lt;/p&gt;
&lt;h2&gt;The Cisco research branch&lt;/h2&gt;
&lt;p&gt;Cisco's work took a different route. In 2016, Blake Anderson, Subharthi Paul and David McGrew studied how observable TLS features could help distinguish malware from enterprise traffic without decrypting it. Their paper, &lt;a href="https://arxiv.org/abs/1607.01639"&gt;Deciphering Malware's Use of TLS&lt;/a&gt;, also dealt with an awkward issue that still matters: malware-sandbox data can bias a classifier.&lt;/p&gt;
&lt;p&gt;Anderson and McGrew's 2017 &lt;a href="https://arxiv.org/abs/1706.08003"&gt;operating-system fingerprinting research&lt;/a&gt; combined evidence from TCP/IP, TLS and HTTP across multiple sessions. The point was not to mint a universally portable hash. It was to ask whether several kinds of passive evidence, accumulated over time, reduced uncertainty about the endpoint.&lt;/p&gt;
&lt;p&gt;The same multi-protocol approach appears in Cisco's Joy and Mercury projects. Mercury's Network Protocol Fingerprinting format represents selected protocol features as a tree of hexadecimal byte strings. The full form retains structure. Its naming can state the protocol and fingerprint rule version. An optional compact hash can be used where a fixed-length value is more practical. Cisco's current &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; defines fingerprints for TLS, QUIC, TCP, HTTP, SSH and other protocols.&lt;/p&gt;
&lt;p&gt;Mercury also keeps fingerprint generation separate from process classification. That distinction is easy to miss.&lt;/p&gt;
&lt;h2&gt;A fingerprint and a label are different things&lt;/h2&gt;
&lt;p&gt;In Cisco's 2020 paper, &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt;, the authors found that common TLS fingerprints mapped to many processes. For the 100 most prevalent fingerprints in their May 2020 data, the median was 24.5 process names per fingerprint.&lt;/p&gt;
&lt;p&gt;Their response was not a longer hash. They combined the fingerprint with destination address, port and server name, then used a weighted naïve Bayes classifier backed by a continually updated knowledge base.&lt;/p&gt;
&lt;p&gt;That produces an inference, not a property embedded in the fingerprint string. The result depends on labelled observations, their age, the monitored environment and the destination evidence available for the connection. The open Mercury repository can generate fingerprints without possessing Cisco's production knowledge base.&lt;/p&gt;
&lt;p&gt;This is the clearest difference between the two lineages:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;JA3 and JA4 define portable representations for selected TLS observations.&lt;/li&gt;
&lt;li&gt;Mercury NPF retains a richer, versioned representation that can be fed into a separate analysis system.&lt;/li&gt;
&lt;li&gt;Mercury's destination-context classifier is another layer again.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of these layers proves who made a request.&lt;/p&gt;
&lt;h2&gt;Where the lineages meet&lt;/h2&gt;
&lt;p&gt;The projects respond to many of the same protocol changes. Both JA4 and recent Mercury formats sort selected TLS fields to reduce instability caused by permutation. Both deal explicitly with GREASE. Both recognise that operators need compact values for logs as well as enough detail to investigate differences.&lt;/p&gt;
&lt;p&gt;They make different trade-offs. JA4 is convenient for grouping and interchange. Mercury's full NPF form is better suited to inspection and to analysis that benefits from retained structure. JA4's wider family adds fingerprints for other observations, while Mercury is also a packet metadata collector and protocol-analysis library. Comparing only the length of their hashes misses most of the design.&lt;/p&gt;
&lt;p&gt;The lab article makes that concrete. In &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one ClientHello, three fingerprints&lt;/a&gt;, we run JA3, JA4 and Mercury against the same packet capture, record the exact tool versions and compare what each output preserves.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Threat Detection"></category></entry><entry><title>One ClientHello, Three Fingerprints: JA3, JA4 and Mercury</title><link href="https://www.peakhour.io/blog/one-clienthello-ja3-ja4-mercury-lab/" rel="alternate"></link><published>2026-07-12T09:00:00+10:00</published><updated>2026-07-12T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-07-12:/blog/one-clienthello-ja3-ja4-mercury-lab/</id><summary type="html">&lt;p&gt;A reproducible lab runs JA3, JA4 and Cisco Mercury against the same TLS ClientHello and compares what each fingerprint preserves.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The easiest way to misunderstand network fingerprints is to compare example strings taken from different clients. We wanted a cleaner test: one packet capture, one TLS ClientHello and three fingerprint formats.&lt;/p&gt;
&lt;p&gt;The complete lab is checked into this site's source under &lt;code&gt;labs/network-fingerprinting/&lt;/code&gt;, and the &lt;a href="/static/downloads/network-fingerprinting-lab.tar.gz"&gt;publication bundle is available here&lt;/a&gt;. It pins the tool revisions, reconstructs the fixture, verifies its checksum, runs the tools and checks that their outputs refer to the same connection. Nothing in the comparison depends on a vendor database or an application label.&lt;/p&gt;
&lt;h2&gt;The input&lt;/h2&gt;
&lt;p&gt;The fixture is a 329-byte Peakhour-generated capture containing a local OpenSSL 3.5.6 ClientHello wrapped in one synthetic Ethernet/IPv4/TCP packet:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;10.1.1.1:40000 -&amp;gt; 10.2.2.2:443
SNI: lab.peakhour.test
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The lab stores the small fixture as base64 under an adjacent BSD 3-Clause licence and verifies the decoded PCAP with SHA-256 before using it. The reserved SNI and private addresses did not cross a network. We select packet 1 and TCP stream 0. That selection matters: saying that several tools read the same PCAP is weaker than proving that their output describes the same flow and ClientHello.&lt;/p&gt;
&lt;p&gt;The pinned revisions for this run are:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;Cisco Mercury  3172786645f70e1a8347d8cf020b736e185651e5
FoxIO JA4      0e54bc8371de34df94a35f2442c05bda2e8b2034
Salesforce JA3 502cc6395811c54743b0561419d61900a6df3ff7
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;These pins are part of the result. Fingerprint implementations and specifications change. A value without its method and version is harder to reproduce than it first appears.&lt;/p&gt;
&lt;h2&gt;Running the lab&lt;/h2&gt;
&lt;p&gt;From the repository root:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;./labs/network-fingerprinting/run.sh
python&lt;span class="w"&gt; &lt;/span&gt;labs/network-fingerprinting/verify.py
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The runner fetches the pinned source archives, builds or invokes the implementations in a temporary work directory, and writes evidence to &lt;code&gt;labs/network-fingerprinting/results/&lt;/code&gt;. The verifier checks the fixture and output checksums, connection tuple, SNI and output shape. The pinned source URLs are enforced by the runner rather than inferred by the verifier.&lt;/p&gt;
&lt;p&gt;This is a fingerprint-format lab, not a speed test. Build time, runtime and memory use depend heavily on language, wrapper and capture path, so we do not compare them here.&lt;/p&gt;
&lt;h2&gt;JA3: a portable exact-match digest&lt;/h2&gt;
&lt;p&gt;For this ClientHello, the canonical JA3 feature string is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-35-16-22-23-13,29-23-30-24-25,0-1-2
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Its MD5 digest is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;e1934f32e97b0bd52227953ca7d30118
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The digest is convenient for logs and exact lookup. On its own it does not show which cipher, extension or group changed. The pre-hash string retains enough information to investigate that difference, which is why throwing it away too early can make later analysis harder.&lt;/p&gt;
&lt;p&gt;JA3 removes GREASE values but otherwise retains the order of its selected lists. A client that permutes extension order can therefore generate a new JA3 digest without changing its effective TLS capabilities. The &lt;a href="https://github.com/salesforce/ja3"&gt;archived Salesforce JA3 repository&lt;/a&gt; defines the input fields and GREASE handling.&lt;/p&gt;
&lt;h2&gt;JA4: canonicalised components&lt;/h2&gt;
&lt;p&gt;The same ClientHello produces this JA4:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;t12d2709h2_a2460661a67a_36cef8aed422
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Its first section is readable:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;t&lt;/code&gt; means TLS over TCP;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;12&lt;/code&gt; is the highest supported TLS version after ignoring GREASE;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d&lt;/code&gt; says a domain was present in SNI;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;27&lt;/code&gt; and &lt;code&gt;09&lt;/code&gt; are the cipher and extension counts after the format's exclusions;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;h2&lt;/code&gt; summarises the first ALPN value.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The second section is the first 12 hexadecimal characters of SHA-256 over sorted cipher identifiers. The third is a truncated SHA-256 value derived from sorted extension identifiers and the signature algorithms in their original order. The canonical &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;JA4 technical specification&lt;/a&gt; defines the exact exclusions and encodings.&lt;/p&gt;
&lt;p&gt;The lab also records &lt;code&gt;JA4_r&lt;/code&gt;, the raw form used by the FoxIO tooling:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;t12d2709h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0016,0017,0023,ff01_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;That makes the normalisation visible. It also shows why JA4 is not fuzzy hashing: sorting makes selected permutations equivalent, while the hashes still support equality matching rather than semantic distance.&lt;/p&gt;
&lt;h2&gt;Mercury NPF: a retained protocol tree&lt;/h2&gt;
&lt;p&gt;Cisco Mercury 2.18 emits this &lt;code&gt;tls/2&lt;/code&gt; fingerprint for the same ClientHello:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/2/(0303)(c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f)[(0000)(000a000c000a001d0017001e00180019)(000b000403000102)(000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602)(0010000e000c02683208687474702f312e31)(0016)(0017)(ff01)]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The value is longer because it is doing another job. Parentheses and square brackets describe an ordered tree of selected byte strings. In the draft NPF notation, square brackets mark a lexicographically sorted list. The &lt;code&gt;tls/2&lt;/code&gt; prefix names the protocol and fingerprint rule version.&lt;/p&gt;
&lt;p&gt;An analyst can inspect the retained values rather than relying only on a digest. Mercury also defines a compact hash nickname when a fixed-length index is needed, but that nickname loses the structure used for inspection, prefix comparison or approximate matching. Cisco's &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; documents both representations.&lt;/p&gt;
&lt;p&gt;The Mercury JSON includes the same source and destination tuple and the same SNI as the JA3 and JA4 records. It does not identify the client application in this lab because we did not run a labelled fingerprint knowledge base or the destination-context classifier. A packet-derived NPF value and a process assessment are separate outputs.&lt;/p&gt;
&lt;h2&gt;What the comparison establishes&lt;/h2&gt;
&lt;p&gt;All three methods observe the same ClientHello, but they define similarity differently.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Question&lt;/th&gt;
&lt;th&gt;JA3&lt;/th&gt;
&lt;th&gt;JA4&lt;/th&gt;
&lt;th&gt;Mercury NPF &lt;code&gt;tls/2&lt;/code&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Compact default&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No; optional hash available&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Inspectable selected inputs&lt;/td&gt;
&lt;td&gt;Only if the pre-hash string is retained&lt;/td&gt;
&lt;td&gt;Partly in &lt;code&gt;a&lt;/code&gt;; fully in the recorded raw form&lt;/td&gt;
&lt;td&gt;Yes in the full tree&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Selected list sorting&lt;/td&gt;
&lt;td&gt;No, after GREASE removal&lt;/td&gt;
&lt;td&gt;Ciphers and most extensions&lt;/td&gt;
&lt;td&gt;Rule-specific selected extensions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Explicit format version in value&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Encoded field semantics, but no separate rule number&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Semantic or approximate comparison&lt;/td&gt;
&lt;td&gt;Not from the digest&lt;/td&gt;
&lt;td&gt;Component grouping, not hash distance&lt;/td&gt;
&lt;td&gt;Full structure can support richer matching&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Application attribution in the format&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The table does not produce a universal winner. JA3 remains useful where historical compatibility matters. JA4 is compact and handles selected permutations cleanly. Mercury retains more material for inspection and for analysis systems that need structured features.&lt;/p&gt;
&lt;p&gt;It also shows what none of the values can establish. The capture does not prove which person, device or application created the connection. Shared libraries, browser impersonation and software updates all complicate that inference. See &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt; for the operational consequences.&lt;/p&gt;
&lt;p&gt;For the history behind these design choices, read &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;Two lineages of TLS fingerprinting&lt;/a&gt;. The durable format comparison is in &lt;a href="/learning/fingerprinting/mercury-vs-ja4-vs-ja3/"&gt;Mercury vs JA4 vs JA3&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Security Research"></category></entry></feed>