drop a pcap file · scan tls connections for sni hostname mismatch against certificate common name · detect domain fronting · c2 evasion via cdn · interception indicators · flag connections where traffic claims to be somewhere it is not · runs locally
SNI extension · server certificate · wildcard match · CDN fronting heuristics
drop pcap · TLS SNI vs certificate analysis