Driftnet
Data
Documentation
Pricing

API Documentation

JARM Fingerprints

Overview

A JARM fingerprint is a signature for a server's TLS stack.

Driftnet takes JARM fingerprints from every TLS server it encounters, no matter the port that server is running on.

Searching

Fingerprints can be looked up either by JARM hash:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/jarm?hash=29d3fd00029d29d00042d43d00041df6ab62833359bd21fbf27287504787f8' \
  | jq . \
  | less -S

...or by IP address or CIDR range:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/jarm?ip=8.8.8.0/24' \
  | jq . \
  | less -S
Example Response
{
  "page": 0,
  "pages": 1,
  "result_count": 20,
  "results": [
    {
      "date": "2019-05-13",
      "id": "auAgGXRnS8WguQIdjPhfvw",
      "items": [
        {
          "context": "",
          "is_metadata": true,
          "type": "ip",
          "value": "8.8.8.8"
        },
        {
          "context": "",
          "is_metadata": true,
          "type": "port-tcp",
          "value": "853"
        },
        {
          "context": "",
          "is_metadata": false,
          "type": "jarm-rawhash",
          "value": "c02f|0303||0017-ff01-000b-0023,cca8|0303||0017-ff01-000b-0023,...
        },
        {
          "context": "",
          "is_metadata": false,
          "type": "jarm-fuzzyhash",
          "value": "29d3fd00029d29d00042d43d00041df6ab62833359bd21fbf27287504787f8"
        }
      ]
    },
    ...

Results are in the same "report" format described in the Internet Scans section. They include the IP address, port, and the raw and fuzzy JARM hashes.

The scan/jarm endpoint also accepts the page=, from= / to=, filter= and summarize= parameters. These work in exactly the same way as described in the Internet Scans section.

To see only the most recent lookup results for an IP and port, set the most_recent=true parameter.