Server Metadata Fields
The Electrum Observatory scanner records a structured set of fields for every reachable Electrum server. These fields describe network reachability, protocol behavior, TLS identity, infrastructure, and internal analysis flags. This page documents the schema used in the exported datasets.
1. Basic Metadata
Low-level connection and reachability information for each server.
| Field | Description |
|---|---|
| ip | Server IP address. |
| port | Port used (TCP or SSL). |
| ssl | Boolean flag indicating SSL/TLS usage. |
| reachable | Whether the connection handshake succeeded. |
| latency_ms | Round-trip time for basic queries, in milliseconds. |
2. Protocol Metadata
Fields describing the Electrum protocol-level behavior and reported versions.
| Field | Description |
|---|---|
| banner | Reported server banner string. |
| protocol_version | Electrum protocol version negotiated. |
| server_version | Implementation version (e.g., ElectrumX, Electrs, Fulcrum). |
3. TLS Metadata
TLS certificate information used for identity, reuse, and honeypot analysis.
| Field | Description |
|---|---|
| certificate_sha256 | SHA-256 fingerprint of the TLS certificate. |
| issuer | Certificate issuer (CA or internal authority). |
| valid_from | Certificate validity start timestamp. |
| valid_to | Certificate expiration timestamp. |
| san_dns | DNS names contained in the Subject Alternative Name extension. |
4. Behavioral Metadata
Fields that summarize how the server responds to different queries, including timing behavior and error handling.
| Field | Description |
|---|---|
| balance_response | Structured result of the balance probe. |
| history_response | Structured result of the history probe. |
| rate_limit_triggered | Whether rate limiting was triggered during tests. |
| malformed_response | How the server responds to malformed or invalid queries. |
| timing_variance | Standard deviation of response latency across repeated probes. |
| fingerprint_hash | Hash summarizing the server's behavioral profile. |
5. Geo & Infrastructure
GeoIP and hosting-related metadata used to detect concentration in providers or ASNs.
| Field | Description |
|---|---|
| country | GeoIP country associated with the server IP. |
| city | GeoIP city (when available). |
| asn | Autonomous System Number. |
| org | Organization or ISP name from GeoIP. |
| cloud_provider | Cloud provider classification (AWS, GCP, Hetzner, OVH, etc.). |
6. Internal Flags
Fields derived from internal analysis and scoring. These are not direct protocol values but higher-level interpretations.
| Field | Description |
|---|---|
| honeypot_score | Aggregate suspicion score derived from multiple indicators. |
| cluster_id | Label of the behavioral or infrastructure cluster. |
| notes | Free-text notes for manual observations and annotations. |