Skip to content
Log in

Server Name Indication (SNI)

Definition

A TLS extension sent in plaintext in the Client Hello message that identifies the hostname the client intends to reach. SNI is visible to any network observer and is a primary source of destination intelligence in encrypted traffic analysis. Encrypted Client Hello (ECH), not yet widely deployed, would hide the SNI field.

Related terms

DNS query log
A record maintained by a DNS resolver listing each domain name query, the requesting IP address, the response, and the timestamp. DNS...
Encapsulation
The process by which each OSI layer wraps the payload from the layer above it inside its own header (and sometimes trailer)....
Flow record
A summary record of a network conversation, typically recording source and destination IP addresses and ports, protocol, start time, duration, byte count...
JA3 fingerprint
An MD5 hash computed from selected fields of the TLS Client Hello: the TLS version, cipher suites, extensions, elliptic curves, and elliptic-curve...
PCAP (packet capture file)
A binary file format that stores raw network traffic captured from a network interface. Tools such as Wireshark, tcpdump, and Zeek read...
Protocol Data Unit (PDU)
The named unit of data at each OSI layer: a frame at Layer 2, a packet at Layer 3, a segment at...
SSL inspection (TLS interception)
A technique in which an intermediary device terminates an incoming TLS session, inspects the decrypted content, then re-encrypts and forwards it using...
SSLKEYLOGFILE
A file format, originally implemented in Mozilla Firefox and later adopted by Chrome and other browsers, that logs TLS session keys as...
TCP three-way handshake
The connection establishment sequence in TCP: the client sends SYN, the server responds SYN-ACK, and the client completes with ACK. The timestamps...
Traffic fingerprinting
The process of identifying an application, protocol, or user action from statistical properties of an encrypted flow, such as packet size distributions,...

Explained in these topics

  • Encrypted Traffic AnalysisA TLS extension sent in plaintext in the Client Hello message that identifies the hostname the client intends to reach. SNI is visible to any network observer...
  • The OSI Model and Protocols for Network InvestigatorsA TLS extension in which the client includes the target hostname in the ClientHello message before encryption is established. SNI is visible in plaintext in a...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account