Real-time network monitor that uses JA4+ fingerprinting to identify applications, detect anomalies, and build a baseline of "normal" for your network. Like htop for network fingerprints.
Ships as a single binary.
# Live monitoring (requires root for packet capture)
sudo ja4monitor live eth0
# With BPF filter
sudo ja4monitor live eth0 --filter "port 443"
# JSON output (no TUI, pipe to jq/other tools)
sudo ja4monitor live eth0 --json
# Analyze a PCAP file (no root needed)
ja4monitor analyze capture.pcap
# JSON output from PCAP
ja4monitor analyze capture.pcap --json
# Only specific fingerprint types
ja4monitor analyze capture.pcap --types ja4,ja4tja4monitor fingerprints every connection on your network using all 10 JA4+ methods:
| Type | What It Fingerprints |
|---|---|
| JA4 | TLS client application (Chrome vs Firefox vs Cobalt Strike) |
| JA4S | TLS server response |
| JA4H | HTTP client from request headers |
| JA4T | Client OS from TCP SYN (window size, MSS, options) |
| JA4TS | Server from TCP SYN-ACK |
| JA4L | Network latency from handshake timing |
| JA4X | Certificate generation method |
| JA4SSH | SSH session type (shell vs tunnel vs file transfer) |
| JA4D | DHCP client implementation and OS |
| JA4D6 | DHCPv6 client implementation and OS |
For each fingerprint, it looks up the FoxIO database to identify known applications and flags:
- [NEW] First-seen fingerprints (never observed on this network before)
- [ALERT] Known malicious fingerprints (Cobalt Strike, Sliver, Metasploit, etc.)
- VPN/tunnel detection via JA4T MSS analysis
- Live TUI dashboard with real-time connection table
- PCAP file analysis with zero dependencies (pure Go reader)
- Learning mode (default 60 minutes): auto-approves fingerprints during learning, then flags new ones
- Sharded processing for high-throughput networks (configurable, default 4 shards)
- SQLite persistence for first-seen tracking across restarts
- JSON output for piping to SIEM, jq, or other tools
- BPF filters for targeting specific traffic
# With live capture support (requires libpcap-dev)
sudo apt-get install libpcap-dev # Debian/Ubuntu
go install github.com/Crank-Git/ja4monitor/cmd/ja4monitor@latest
# PCAP-only build (no libpcap needed)
go install -tags pcaponly github.com/Crank-Git/ja4monitor/cmd/ja4monitor@latestDownload prebuilt binaries from GitHub Releases.
--filter BPF filter (e.g., "port 443")
--json JSON output to stdout (no TUI)
--types Comma-separated fingerprint types (e.g., "ja4,ja4t")
--db SQLite database path (default: ~/.ja4monitor/ja4monitor.db)
--learn-duration Learning period in minutes (default: 60, 0=disabled)
--shards Number of processor shards (default: 4)
--remote-lookup Enable opt-in ja4db.com lookup on local DB miss (default: off)
--known-bad-apps Path to TOML override for the embedded known-bad apps list
Capture -> Router -> Sharded Processors -> Connection Tracker -> TUI
| |
ja4plus-go SQLite Storage
(10 fingerprinters) (batched writes, WAL)
Built on ja4plus-go, an independent Go implementation of all JA4+ fingerprinting methods.
ja4plus-go's FoxIO-spec-2026-05 update changes the fingerprint string format
for JA4, JA4H, JA4D, JA4SSH, and JA4L. Persisted first_seen entries written
by older binaries no longer match what live capture produces, so the new
binary will warn on startup. Run:
ja4monitor migrate-fingerprints # dry-run, shows what would change
ja4monitor migrate-fingerprints --apply # delete stale rows
JA4S, JA4T, JA4TS, JA4X, and JA4D6 are unaffected — their first_seen
entries are preserved.
BSD-3-Clause. JA4+ methods (except JA4) are under FoxIO License 1.1, which permits internal security monitoring use.