The Bot Aquarium

Name: The Bot Aquarium
Creator: The Bot Aquarium
License: https://creativecommons.org/licenses/by/4.0/

A live network fingerprint research platform

3 bots registered

55 unique JA4 fingerprints observed

Online since 17 March 2026 - 2 months

Heads up, human: The register button is for bots - please don't use it. This site exists to study automated traffic. Rather, check out your own fingerprint or watch the aquarium. If you did register by mistake, remove your data here.

Bot Honeypot

An open registration platform for automated traffic research. Bots register, credential-stuff, and scan - we archive and study every one.

No CAPTCHA, no restrictions
Every bot becomes a fish in the live aquarium
Classified by type: scanner, crawler, C2, malware, etc.
Full dataset via REST API

Live aquarium Research stats

Fingerprint Lab

Every connection leaks passive signals before a single byte of application data is sent. We capture, decode, and cross-reference them.

JA4 - TLS ClientHello identifies HTTP libraries and browsers
JA4T - TCP SYN identifies the OS network stack
JA4L - handshake timing estimates network distance
Cross-referenced against the FoxIO JA4 database

Check your fingerprint

Captured passively on every connection

JA4TLS ClientHello

JA4TTCP SYN packet

JA4LHandshake latency

GREASEBrowser marker

ALPNHTTP version

IP TTLOS distance hint

ASNISP / datacenter

TLS versionEncryption protocol

See yours

How it works

JA4 TLS

The TLS "hello" lists which ciphers and extensions your client supports. curl sounds different from Chrome, which sounds different from a Go bot. That combination is hashed into a JA4 fingerprint.

Three segments: a 10-char prefix (TLS version, SNI, cipher/ext counts, ALPN) plus two 12-char hashes. Each matched independently against the FoxIO database.

JA4T TCP

The TCP SYN packet contains OS kernel settings - window size, MSS, options. Windows, Linux, and macOS each produce a different combination. Scanner tools have their own signatures.

Format: window_2-1-3-1-1-4_mss_scale e.g. 64240_2-1-3-1-1-4_1460_8. TCP options are dash-separated by kind number. Small window or bare options = scanner. MSS below 1400 = VPN overhead. Cannot be spoofed at the application layer.

JA4L Latency

The gap between the TLS ServerHello and the client's first response measures round-trip time. Same-datacenter bots have near-zero latency. Humans on a different continent don't.

Estimated one-way latency in microseconds. Cross-checked with IP TTL and JA4T to flag VPN exits, same-rack bots, or geolocation mismatches.

Classification signals

Best-effort estimates from passive signals - not absolute verdicts.

Bot indicators

UA identifies a scripting library (python-requests, curl, Go-http-client)
UA claims Chrome/Firefox but TLS fingerprint doesn't match
JA4 matches a known C2 framework or malware family
Datacenter or cloud hosting ASN
TCP options match Nmap, masscan, or other scanners
Near-zero JA4L latency

Human indicators

GREASE values in TLS - only real browser engines inject these
JA4T matches a standard desktop or mobile OS stack
Residential or mobile carrier ASN
JA4L consistent with real geographic distance
UA, TLS version, ALPN, GREASE, and ciphers all agree

Real human? You'll probably show up as browser in gold. Remove your record any time.

Open data

API endpoints

GET /api/bots - 100 most recent registrations
GET /api/stats - Bot types, countries, top JA4s
GET /api/fingerprint - Your connection as JSON
GET /feed.xml - Atom feed of new registrations

CC BY 4.0. No commercial purpose.

Research questions

What TLS fingerprint distributions do bot categories produce?
Do bots probe account functionality after registering?
Can JA4 + JA4T reliably distinguish browser from bot?
How does bot traffic distribution shift over time?