API Documentation
Overview
A JA4TScan fingerprint is a signature for a server's TCP stack.
Driftnet takes JA4TScan fingerprints from all open TCP ports it encounters, except where the remote device has an unusually large number of ports open in which case only a selected set of ports are fingerprinted.
Fingerprints may be taken from multiple TCP ports on the same remote IP address. Variation in these fingerprints can indicate forwarding to multiple devices behind the remote IP.
Searching
Fingerprints can be looked up either by JA4TScan hash:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/scan/ja4tscan?hash=62727_2-4-8-1-3_8961_7_1-2-4-8-16' \
| jq . \
| less -S...or by IP address or CIDR range:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/scan/ja4tscan?ip=8.8.8.0/24' \
| jq . \
| less -S{
"page": 0,
"pages": 1,
"result_count": 2,
"results": [
{
"date": "2019-05-13",
"id": "auAgGXRnS8WguQIdjPhfvw",
"items": [
{
"context": "",
"is_metadata": true,
"type": "ip",
"value": "8.8.8.8"
},
{
"context": "",
"is_metadata": true,
"type": "port-tcp",
"value": "443"
},
...
{
"context": "",
"is_metadata": false,
"type": "ja4tscan-hash",
"value": "65535_2-4-8-1-3_1412_8_0-2-4-8-16"
}
]
},
...Results are in the same "report" format described in the Internet Scans section. They include the IP address, port, and the JA4TScan hash.
The scan/ja4tscan endpoint also accepts the page=, from= / to=, filter= and summarize= parameters. These work in exactly the same way as described in the Internet Scans section.
To see only the most recent lookup results for an IP and port, set the most_recent=true parameter.