Shadow
Network
Fingerprinting.

What It Is

Offline. Deterministic.
By architecture.

SNF (Shadow Network Fingerprinting Engine) is a 100% offline, air-gap-native passive network intelligence platform written entirely in Rust. It captures raw packets, reconstructs TCP/UDP flows, and runs them through 14 deterministic protocol analyzers - producing structured NDJSON output, court-admissible evidence bundles, and forensic baseline reports without ever making a network call.

The core guarantee: F(dataset, config, version) = identical NDJSON output every run. Same PCAP, same config, same SNF version - SHA-256 identical output on any machine, any analyst, any time. This is the determinism contract, and every architectural decision in SNF is subordinate to it.

The Problem

What existing tools
cannot do.

The tools that dominate network security today - Zeek, Suricata, Darktrace, Vectra, CrowdStrike - were built for connected environments. They assume cloud access for updates, telemetry, and analysis. In a classified network, a nuclear facility, a defense air-gap, or an OT environment, they are either illegal to deploy or architecturally incapable of operating.

Beyond connectivity, they share a deeper problem: non-determinism. Wireshark is analyst-dependent. Zeek output varies by configuration drift. No tool in mainstream use can prove that two analysts running the same PCAP will get the same result - which makes their output inadmissible as court evidence without extensive manual verification.

• Encrypted traffic blindness - TLS 1.3 hides payloads. SNF extracts intelligence from handshake metadata only. No decryption, no legal risk.
• Air-gap incompatibility - every major NDR platform requires cloud. SNF is offline-first at the architecture level, not as an option.
• Non-reproducible forensics - no tool guarantees identical output. SNF's dual-pass SHA-256 determinism check is cryptographic proof of reproducibility.
• Inadmissible evidence - chain of custody unprovable. SNF bundles PCAP SHA-256, config SHA-256, and SNF version in every output.
• ICS/SCADA blindspot - Modbus, S7comm, EtherNet/IP, PROFINET, DNP3 - none of the major tools cover all five for isolated OT networks.
• Memory-unsafe foundations - Zeek, Suricata, Snort, tcpdump are C/C++. SNF's Rust codebase has zero memory safety issues in the analysis path by construction.

Architecture

How it's built.

SNF uses a two-binary design: snf_core (the capture and analysis engine) and snf_report (the reporting and output engine). The analysis path runs 14 protocol analyzers in a locked execution order - DNS, TLS, QUIC, HTTP/1.1, HTTP/2, DHCP, ICMP, SMB, and five ICS/SCADA protocols among them - producing deterministic events regardless of threading model or platform.

Four operation modes cover the full deployment surface: Forensic (multi-threaded, full output, DFIR post-mortem), Monitor (live 24/7 SOC sensor), Replay (single-threaded, deterministic, court evidence), and Stealth (silent NDJSON, zero console output, covert sensor). A fifth mode, Redact, produces GDPR/HIPAA-safe PCAP with consistent IP/MAC anonymization and a full audit manifest - enabling PCAP sharing without legal exposure.

The security constraint system formalized 28 non-negotiable rules enforced at the code level: bounded allocations, capped loops, zero unwrap/expect in production paths, pre-allocated flow tables, atomic file writes, path traversal protection, and self-learning gated by mode so Replay and Stealth produce zero disk side effects. These are auditable, not aspirational.

Clear Positioning

What SNF is not.

SNF occupies a specific and narrow space. Understanding what it is not is as important as understanding what it is.

• Not an IDS/IPS - does not block traffic, no inline deployment
• Not cloud NDR - no SaaS, no dashboard, no subscription
• Not Wireshark - not a GUI viewer, not interactive
• Not ML/probabilistic - all detection is deterministic, rule-based
• Not DPI - works on metadata only, no payload inspection
• Not a SIEM replacement - exports to SIEMs, does not replace them
• Not an agent or API server - passive capture, file-based I/O only

Organization

Who builds it.

SNF is developed and maintained by SNF Labs, an independent division of RSAAT Labs. SNF Labs carries its own brand identity, targets a distinct audience - security researchers, incident responders, DFIR teams, and critical infrastructure operators - and operates independently in terms of product, go-to-market, and technical roadmap.

The parent organization, RSAAT Labs, is an independent software lab building tools across developer productivity, consumer SaaS, and deep security engineering. Both entities share the same founding philosophy: software should do what it says it does, with precision and no overhead.

Author & Developer

Built by one person.

SNF is a single-author project - designed, architected, and implemented from the ground up. ~50,000 lines of Rust, 24 implementation phases, 200+ source files, validated against 18 real-world PCAPs including MAWI backbone traffic at 14.9 million packets. Not a team project. Not a prototype. A production-grade forensics engine built with the kind of focus that distributed teams rarely achieve.