In a Wireshark capture, why do normal HTTPS and Trojan-proxy traffic look identical to Deep Packet Inspection (DPI) — and how does the Server Name Indication (SNI) enable this?
Both show the same TCP+TLS handshake to port 443 with an SNI hostname and encrypted application data; SNI lets one server host many sites on one IP, so a proxy domain looks like just another website.
Side by side, the captures match frame for frame:
| Frame | Normal HTTPS | Trojan-Proxy |
|---|---|---|
| 1–2 | TCP SYN / SYN-ACK to :443 |
TCP SYN / SYN-ACK to :443 |
| 3 | TLS Client Hello, SNI: www.example.com | TLS Client Hello, SNI: proxy.example.com |
| 4 | TLS Server Hello | TLS Server Hello |
| 5+ | Encrypted application data (HTTP/2 GET…) | Encrypted application data (??? fully obscured) |
To DPI they are identical — both look like normal HTTPS to some website. SNI (Server Name Indication) is what makes this natural: it lets one web server host many sites on the same IP address, so a Trojan proxy domain is indistinguishable from yet another legitimately co-hosted site.
Tip: Because SNI-based virtual hosting is everywhere on the modern web, "another HTTPS site on a shared IP" is the most unremarkable thing a censor can see — perfect cover.
Go deeper:
Server Name Indication (Wikipedia) — the SNI virtual-hosting that makes a proxy domain look like any co-hosted site.