Inconsistencies

Where a client's self-declaration disagrees with what its connection actually proved at the wire. A User-Agent is a claim anyone can set; the TLS, TCP, and HTTP/2 fingerprints below are measured from the bytes. Disagreement is the classic signal of automation dressed as a browser — though VPNs, proxies, privacy tools, and shared fingerprints produce honest mismatches too, so these are leads, not verdicts. Each check scans every co-observed pairing on record (display capped at 500 per check).

Browser claim vs. tool fingerprint

A User-Agent claiming a mainstream browser, observed with a TLS ClientHello the JA4+ database identifies as a non-browser tool (curl, a C2 agent, a library). The TLS stack is far harder to forge convincingly than the User-Agent header.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 508 2026-06-11 2026-07-02
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 9 2026-06-16 2026-07-02
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.62 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 3 2026-07-01 2026-07-01

Browser claim vs. measured captures

A User-Agent claiming a browser the catalog has measured, at a version inside the measured range, whose TLS fingerprint is consistent with none of this site's controlled captures of that browser. Where the check above leans on an external label, this one is grounded in measurement. The comparison is layered: a fingerprint differing from a capture only in handshake-variant extensions (session resumption, 0-RTT, session tickets, padding) counts as consistent and is not shown; a differing cipher list is the stronger lead (medium); matching ciphers with a differing extension or signature-algorithm set is weaker (low) — most often a field-trial, ECH, or build variant not yet captured. It sharpens as catalog coverage broadens.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
No browser-vs-capture inconsistencies at high confidence in this window.

OS claim vs. TCP stack

A User-Agent's claimed operating system against the initial TTL of its TCP SYN. An initial TTL of 64 is Unix-like (Linux, macOS, iOS, Android, BSD); 128 is Windows. A "Windows" User-Agent arriving on a TTL-64 stack — or vice versa — is inconsistent, subject to the proxy/NAT caveats above.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
No OS-vs-TCP inconsistencies at high confidence in this window.

Bot claim vs. published operator ranges

A User-Agent declaring a major bot — a search or AI crawler or a user-triggered fetcher — observed from an IP outside the ranges that operator publishes for it, or inside a different operator's ranges. Unlike the checks above, this is not a wire-vs-claim contradiction: it is the self-declared identity against the operator's own authoritative published list. An IP the operator does not list, arriving under its bot's name, is almost always an impersonator — scrapers spoof crawlers to dodge rate limits and earn crawler treatment. The consistent side (an IP inside the published range) appears as a "published range match" on the fingerprint page, not here.

User-Agentclaimsfrom networkpublished ranges showconfidenceseenfirst seenlast seen
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… Googlebot AS24940 Hetzner Online GmbH
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS24940 Hetzner Online GmbH
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-07-01 2026-07-01
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… Googlebot AS20278 Nexeon Technologies, Inc.
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS20278 Nexeon Technologies, Inc.
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-07-01 2026-07-01

How confidence is assigned