Probe SNI Extraction

Overview

WhiteOwl Probe can extract Server Name Indication (SNI) hostnames from encrypted TLS and QUIC connections. This provides visibility into which domains your network is communicating with, even for encrypted traffic.

SNI is sent in cleartext during the TLS/QUIC handshake before encryption is established, making it accessible for network monitoring without breaking encryption.

Supported Protocols

Protocol	Port	Method
TLS (HTTPS)	TCP/443	Parse ClientHello SNI extension
QUIC	UDP/443	Decrypt Initial packet, parse ClientHello

Configuration

config.yaml

capture:
  interface: en0
  promiscuous: true
  snap_len: 1500        # Required: must be 1500 for QUIC SNI
  buffer_size_mb: 64
  capture_sni: true     # Enable/disable SNI extraction

export:
  collector_ip: 192.168.100.132
  collector_port: 2055
  track_tcp_performance: true

Environment Variables

CAPTURE_SNI=true        # Enable SNI capture
CAPTURE_SNAP_LEN=1500   # Packet capture length

Important Notes

snap_len must be 1500 when capture_sni is enabled
- QUIC Initial packets are padded to minimum 1200 bytes
- TLS ClientHello typically fits in first packet but may be larger
SNI is captured once per flow (first ClientHello seen)
SNI is only captured on outbound connections (dst_port=443)

Data Flow

Packet Capture
      │
      ▼
┌─────────────────┐
│ TCP/443 packet? │──Yes──▶ Parse TLS ClientHello ──▶ Extract SNI
└─────────────────┘
      │ No
      ▼
┌─────────────────┐
│ UDP/443 packet? │──Yes──▶ Decrypt QUIC Initial ──▶ Parse ClientHello ──▶ Extract SNI
└─────────────────┘
      │
      ▼
   Flow Table (f.SNI)
      │
      ▼
   IPFIX Export (field 460)
      │
      ▼
   goflow2 → Kafka → ClickHouse

Performance Impact

TLS SNI (TCP/443)

Method: Byte parsing only, no cryptography
When: Once per flow, only on ClientHello packets
Impact: Negligible (less than 1% CPU overhead)

QUIC SNI (UDP/443)

Method: HKDF key derivation + AES-GCM decryption
When: Only on QUIC Initial packets (first packet of connection)
Impact: Moderate, but limited to connection setup

Snaplen 1500 vs 128

More data copied per packet
Only affects large packets (small packets still copy actual size)
Impact: 5-15% more memory bandwidth on bulk transfers

Estimated CPU Impact by Traffic Rate

Packets/sec	SNI Disabled	TLS SNI Only	TLS + QUIC SNI
1,000	Baseline	+0.5%	+1-2%
10,000	Baseline	+1%	+3-5%
50,000	Baseline	+2%	+8-12%
100,000	Baseline	+3%	+15-25%

Factors Affecting Performance

Connection rate — More new connections = more SNI extractions
QUIC usage — Sites like Google, YouTube, Facebook use QUIC heavily
CPU speed — AES-NI hardware acceleration helps QUIC decryption
Traffic mix — Bulk transfers (few connections) vs web browsing (many connections)

Optimization Options

If you experience high CPU usage, consider these options:

Disable QUIC SNI Only

capture:
  capture_sni: true
  capture_quic_sni: false  # Future option

Use BPF Filter to Limit Capture

capture:
  bpf_filter: "tcp port 443"  # Skip UDP/QUIC entirely

Common BPF Filters

Filter	Description
`""`	Capture all traffic (default, no filter)
`"port 443"`	Only port 443 (both TCP and UDP/QUIC)
`"tcp port 443"`	Only TCP/443 (skip QUIC for lower CPU)
`"tcp or udp port 443"`	All TCP + UDP/443 only
`"not net 10.0.0.0/8"`	Exclude specific subnet from capture

Sample High-Rate Traffic

Deploy probe on mirrored port with sampling enabled for high-volume environments. ericgraham@StephaniesiMac7 Downloads %

Overview​

Supported Protocols​

Configuration​

config.yaml​

Environment Variables​

Important Notes​

Data Flow​

Performance Impact​

TLS SNI (TCP/443)​

QUIC SNI (UDP/443)​

Snaplen 1500 vs 128​

Estimated CPU Impact by Traffic Rate​

Factors Affecting Performance​

Optimization Options​

Disable QUIC SNI Only​

Use BPF Filter to Limit Capture​

Common BPF Filters​

Sample High-Rate Traffic​