Tutorial · Estimated reading 14 mins

Enable Clash Meta Sniffer:
Fix Misrouted HTTPS When Rules Miss the Real Domain

You already run TUN and FakeIP, yet a few HTTPS sites still land on the wrong policy group. Often the rule engine only sees a destination IP (or a pooled FakeIP) before it can know the real site name. Clash.Meta / Mihomo Sniffer reads the TLS SNI (and HTTP Host) so DOMAIN rules match the hostname users actually intended. Below: how to enable sniffer, what override-destination changes, how DNS fits in, and the usual pitfalls.

Sniffer · SNI · HTTPS · override-destination · policy groups

1 Why a few HTTPS flows still pick the wrong policy group

Split routing in Clash.Meta / Mihomo is driven by rules that consult domain names, IP ranges, GeoIP databases, and rule sets. Many of those matchers assume the core already knows which hostname the user is trying to reach. In practice, the first packet the proxy sees for a new TCP connection often carries only a destination IP address. Until the TLS handshake exposes metadata, the engine may classify traffic using that IP alone. If the IP is shared by a CDN, belongs to a cloud provider’s anycast front, or comes from your own FakeIP pool, a naive IP-CIDR or broad GEOIP line can win before any domain-specific rule gets a chance. The symptom is frustrating: TUN mode is on, DNS looks “correct” in isolation, yet one site exits through the generic MATCH bucket or a region you did not intend.

FakeIP mode accelerates local resolution by handing clients synthetic addresses from a reserved range and maintaining an internal mapping back to real names. That design is excellent for privacy and performance, but it also means the connection table sometimes shows a fake address at the instant rules first evaluate. Without additional hints, the policy layer cannot distinguish two different sites that would share infrastructure at the TCP layer. Separately, applications that connect by raw IP, misconfigured resolvers, or split-brain DNS can widen the gap between “what the browser thinks it opened” and “what the proxy observed on the wire.” These issues are exactly why the upstream project introduced a dedicated Sniffer pipeline: recover application intent from plaintext or early TLS bytes instead of guessing from addresses alone.

This guide assumes you already understand baseline DNS hardening. If resolver chains, DoH, and FakeIP are new, read our Meta DNS leak prevention guide first—sniffer fixes hostname visibility, not upstream DNS leaks by themselves. Likewise, confirm mode: rule; global modes bypass the fine-grained graph you expect to steer HTTPS.

2 What the Sniffer module actually inspects

Sniffer is not magic deep-packet inspection on encrypted payloads. For HTTPS, Clash.Meta waits for the client’s TLS ClientHello and extracts the Server Name Indication (SNI) field, which is transmitted in cleartext specifically so middleboxes can route certificates. That hostname string is what your DOMAIN and DOMAIN-SUFFIX rules wanted all along. For legacy HTTP, the core can read the Host header on unencrypted ports. QUIC traffic can also be handled when enabled, because initial packets expose comparable hints depending on version and profile. The takeaway: sniffer supplies a candidate domain tied to the flow before the encrypted tunnel is fully established, letting the rule engine re-evaluate with better inputs.

Important nuance: sniffer does not replace your rule authoring. If you list domains in the wrong order, attach them to an unsuitable policy group, or import a subscription whose node names drift, routing will still look broken. Sniffer narrows the gap between “address-only classification” and “name-aware classification.” It pairs naturally with url-test and fallback groups because once the correct domain is known, the outbound selection logic you already configured can finally execute as designed.

TLS 1.3 and eSNI/ECH SNI remains visible in typical browser stacks; encrypted ClientHello (ECH) may change visibility on some paths. If a site migrates to stricter privacy features, keep fallbacks like IP rules or updated domain lists—sniffer cannot invent hostnames that never appear on the wire.

3 Enable Sniffer in Mihomo-compatible YAML

Add a top-level sniffer: block (exact key names follow your core version; always validate against the release you run). A practical starting point enables TLS and HTTP sniffing on common ports, turns on the behavioral flags discussed in the next section, and keeps QUIC optional until you need it. Merge this with your existing profile—do not duplicate root keys such as dns: or tun:.

YAML (sniffer starter) 
sniffer:
  enable: true
  sniff:
    HTTP:
      ports: [80, 8080-8880]
    TLS:
      ports: [443, 8443]
    QUIC:
      ports:
        - 443
  force-dns-mapping: true
  parse-pure-ip: true
  override-destination: true

GUI wrappers may expose the same toggles under “Sniffer / domain sniffing / enhanced mode.” After editing, reload the core and reproduce the problematic HTTPS site while tailing logs—details appear in the verification section below. If validation fails, syntax errors in indentation are the usual culprit; YAML is whitespace-sensitive, and a misplaced tab can silently drop the entire subtree.

4 override-destination, force-dns-mapping, and DNS teamwork

Three flags deserve explicit mental models. override-destination tells the core to treat the sniffed hostname as the effective destination for routing decisions when it differs from the original tuple. Without it, sniffer might log the SNI yet still forward using the older classification path—exactly the “I see the domain in diagnostics but rules ignore it” confusion. Turning it on is usually the step that makes DOMAIN,google.com,Proxy-style lines suddenly behave for flows that began as ambiguous IPs.

force-dns-mapping cooperates with FakeIP: when a connection targets an address from the fake pool, the core tries to reconcile that mapping so hostname recovery and DNS policy stay aligned. Skipping this on heavy FakeIP profiles can leave rare race conditions where the sniffer result and the DNS cache disagree about which name owns a synthetic address. Pair the flag with a coherent dns: section—consistent enhanced-mode, predictable nameserver and fallback chains, and realistic fake-ip-range—rather than mixing system stub resolvers that bypass Mihomo.

parse-pure-ip attempts to sniff even when the client connected to a literal IP string in the URL bar or a hard-coded address inside an app. Coverage depends on what the application actually sends; some proprietary stacks skip SNI or reuse pooled connections in ways that limit visibility. Expect incremental improvement, not universal fixes for every binary on earth.

Together, these options illustrate why sniffer articles must mention DNS: hostname-based rules only shine when both the sniffer path and the resolver path agree on identity. Our DNS hardening walkthrough covers DoH endpoints, fallback triggers, and leak tests—apply that foundation before you spend hours tuning sniff-related lists.

Do not stack contradictory overrides If another module or external helper also rewrites destinations, confirm you are not double-rewriting to an unexpected outbound. One controlled override chain beats several silent ones.

5 skip-domain, force-domain, and real-world pitfalls

Not every flow benefits from aggressive sniffing. Some CDNs multiplex many unrelated brands behind shared TLS configurations; others use custom client stacks that confuse heuristics. Mihomo therefore supports skip lists and force lists (names vary slightly by release) so you can exempt noisy domains or insist on sniffing specific ones. Start minimal: over-broad skip patterns can reintroduce the exact misrouting you were trying to eliminate, while excessive force rules add CPU overhead on busy routers.

Watch for self-signed or internal HTTPS portals: if SNI does not match user-visible site names, domain rules will follow the certificate’s declared name—not the marketing hostname in the address bar. Corporate VPNs and captive Wi-Fi portals are frequent edge cases; sometimes DIRECT or a dedicated policy group is clearer than forcing sniffer logic to paper over odd certificates.

Mobile hotspots and satellite links add latency; sniffer work happens during connection setup, so failures may surface as slightly longer handshakes rather than outright drops. If you run Mihomo on battery-powered hardware, keep QUIC sniffing disabled until you need it, and avoid absurdly large port ranges in the sniff map.

Finally, remember TUN capture coverage: applications that bypass the tunnel still escape policy. If only some programs misbehave, revisit interface exclusions and elevation requirements using our Clash Verge Rev TUN guide instead of endlessly toggling sniffer alone.

6 Verify behavior in connection logs

After enabling sniffer, open the client’s live log or trace view and load the problematic HTTPS URL in a clean browser profile. You should see the flow transition from an initial IP-based classification to a hostname-enriched decision once ClientHello parsing completes. If the log never prints a recognizable SNI string, the issue is upstream—maybe the app pins certificates, uses QUIC-only paths you did not sniff, or blocks inspection entirely.

Cross-check against your rules ordering: sniffer cannot salvage a domain rule that sits below a broader matcher which already captured the flow. Move specialized lines above catch-all entries, then retest. Document the change in version control if multiple machines import the same remote profile.

7 Tie-in with policy groups and automation

Once domains resolve to the intended buckets, your policy groupsselect, url-test, fallback, and nested combinations—handle which proxy chain actually carries the bytes. Sniffer does not replace those structures; it feeds them cleaner inputs. For automated latency selection and ordered failover patterns, see the dedicated tutorial on Clash URL-Test and Fallback, which walks through tolerance, probe URLs, and healthy nesting.

Operators often combine sniffer with subscription maintenance: when providers rename nodes, update proxy-groups references immediately so automated tests do not point at ghosts. The same discipline applies to rule providers—refresh schedules that lag behind reality produce “correct sniffer, wrong exit” illusions.

8 Wrap-up

Clash Meta Sniffer closes the loop between encrypted HTTPS metadata and your declarative rules by surfacing SNI (and plaintext HTTP hosts) early in the connection lifecycle. Pair override-destination with disciplined DNS—especially under FakeIP—so hostname-based policy and resolver state stay synchronized. Trim exceptions with skip-domain / force-domain only when real-world traffic demands it, and always confirm outcomes in logs rather than assuming YAML alone guarantees behavior.

Compared with endlessly reordering IP rules, teaching the core to see names reliably scales better across CDNs and multi-device homes. Desktop GUIs such as Clash Verge Rev expose the same Mihomo knobs with visual editors, which lowers the friction of iterative testing. Prefer official installers from the project download hub so signatures and update channels stay trustworthy.

When you are ready to deploy builds for your platform, fetch them from this site’s download page, import your profile, reload the core, and repeat your HTTPS test while watching for the expected policy group and sniffed hostname in the connection log.

→ Download Clash for free and experience the difference

Tags: Sniffer SNI HTTPS override-destination FakeIP policy groups Mihomo
Clash client logo

Clash Verge Rev

Next-gen Clash client · Free and open source

Toggle Sniffer and DNS options in a GUI, paste the same Mihomo YAML on Windows, macOS, or Linux, and read live connection logs while you confirm SNI-based routing matches your policy groups.

Sniffer & TLS hints Mihomo core Nested policy groups Rules and subscriptions Connection logs
Windows macOS Linux

Related reading

DNS

Stop DNS leaks on Mihomo with DoH and FakeIP

 Groups

URL-Test and Fallback: auto latency and failover