LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

In a Wireshark capture, why do normal HTTPS and Trojan-proxy traffic look identical to Deep Packet Inspection (DPI) — and how does the Server Name Indication (SNI) enable this?

Both show the same TCP+TLS handshake to port 443 with an SNI hostname and encrypted application data; SNI lets one server host many sites on one IP, so a proxy domain looks like just another website.

Side by side, the captures match frame for frame:

Frame Normal HTTPS Trojan-Proxy
1–2 TCP SYN / SYN-ACK to :443 TCP SYN / SYN-ACK to :443
3 TLS Client Hello, SNI: www.example.com TLS Client Hello, SNI: proxy.example.com
4 TLS Server Hello TLS Server Hello
5+ Encrypted application data (HTTP/2 GET…) Encrypted application data (??? fully obscured)

To DPI they are identical — both look like normal HTTPS to some website. SNI (Server Name Indication) is what makes this natural: it lets one web server host many sites on the same IP address, so a Trojan proxy domain is indistinguishable from yet another legitimately co-hosted site.

Tip: Because SNI-based virtual hosting is everywhere on the modern web, "another HTTPS site on a shared IP" is the most unremarkable thing a censor can see — perfect cover.

Go deeper:

From Quiz: PRIVACY / Anonymous Surfing, Tor & Location Tracking | Updated: Jul 14, 2026