Tutorial ~18 min read

How to Enable Sniffer in Clash Meta: HTTPS Domain Routing Step by Step (2026)

You already flipped TUN on and pasted a respectable stack of DOMAIN-SUFFIX lines, yet the live log still prints a bare IPv4 or IPv6 address for HTTPS flows—and the rule column stubbornly refuses your carefully named proxy group. That mismatch is one of the most common friction points in Clash Meta and Mihomo setups: without hostname visibility, domain-based split routing cannot fire reliably. The Sniffer (often called “sniffing” in community threads) teaches the core how to recover hostnames from modern TLS and QUIC handshakes so DOMAIN predicates see what your eyes expect. This guide explains the underlying constraint, walks through a copy-ready YAML skeleton, shows how to pair Sniffer output with ordered rules, and points to DNS alignment when symptoms persist.

Clash Editorial Team Clash Meta · Mihomo · Sniffer · HTTPS · TLS · Rules

Search intent: symptoms that point to Sniffer

The archetypal story sounds like this: browsers feel fine because some paths still expose cleartext hostnames or your client maps DNS answers aggressively, yet background tools, updaters, or certain mobile-emulated stacks only reveal an IP in the inspector. You search the connection table for google.com and see 142.250.x.x instead. Your DOMAIN-SUFFIX,google.com,Proxy line never lights up, so traffic falls through to a broad GEOIP or MATCH bucket you did not intend. Another variant is QUIC-heavy apps: flows show UDP/443 with minimal metadata until you explicitly sniff the protocol. In all of these cases the dataplane is working—packets reach Mihomo—but the classifier lacks the string it needs to evaluate domain rules. Sniffer closes that gap by parsing handshake fields rather than guessing from PTR records or stale DNS caches.

This article is not a substitute for fixing capture. If TUN is off or bypassed, no amount of YAML in the sniffer map will manufacture hostnames from thin air. Confirm the tunnel first using the Clash Verge Rev TUN mode guide; only then treat Sniffer as the second act in the play. Likewise, if your issue is “which executable opened the socket,” domain sniffing and PROCESS-NAME solve different puzzles—see process-level routing when the hostname is already visible but policy must follow binaries.

Why HTTPS often looks like “just an IP” in logs

Once a TCP connection is established to an IP address, the outer five-tuple carries no mandatory HTTP Host header for observers who only glance at flow summaries. HTTPS encrypts the application layer; the earliest point where a public hostname routinely appears is the TLS ClientHello, which includes the Server Name Indication (SNI) extension for virtual hosting. A transparent proxy that terminates TLS can read that cleartext extension before relaying, which is exactly what a well-configured Meta-class core uses internally for classification—not for decrypting your bank session, but for steering policy. When SNI is absent (legacy quirks, certain rare stacks) or when traffic is pure QUIC, additional logic applies: QUIC carries TLS 1.3 inside encrypted envelopes, yet implementations expose headers the Sniffer can still parse when the client and server negotiate standard paths.

If you disable sniffing or leave the module at defaults that do not cover the port your app uses, the core honestly reports what it knows: the destination IP from the routing table. That is not a moral failure; it is incomplete evidence. Community rule lists assume domain predicates work, which presumes hostname recovery for HTTPS. Turning on Sniffer is how you align the real dataplane with those assumptions without reverting to coarse IP-CIDR lists that rot every time a CDN shifts anycast fronts.

Mental model: Sniffer feeds the rule engine, not DNS

Beginners sometimes conflate Sniffer with DNS override. DNS answers tell clients where to connect; Sniffer inspects live flows after sockets exist. Both layers must agree for a calm mental model: DNS might return a FakeIP from the core while the sniffed SNI still reads cdn.example.com, and domain rules can match that SNI for policy selection. When they disagree because of caching or split-horizon enterprise resolvers, you chase DNS issues—not sniffing knobs. Our Meta core DNS leak prevention article remains the right companion when logs show odd resolver paths or leaks outside the tunnel.

Rule order still matters: Sniffer widens hostname visibility; it does not move your MATCH line above a careless catch-all. Place precision domain lines where they can execute.

Enable Sniffer in YAML: a practical skeleton

Most Mihomo profiles accept a top-level sniffer: map. At minimum you want enable: true and explicit sniff entries for the protocols you care about. A pragmatic baseline for 2026 desktop browsing and SaaS stacks includes TLS on conventional HTTPS ports and QUIC on UDP/443 because browsers increasingly prefer it. HTTP cleartext is less common on the public Internet but still appears on captive portals and some LAN devices—keeping a small HTTP port list does not hurt. 

# Illustrative sniffer block — adjust ports to your core version docs
sniffer:
  enable: true
  sniff:
    HTTP:
      ports: [80, 8080-8880]
    TLS:
      ports: [443, 8443]
    QUIC:
      ports: [443]

Vendor GUIs sometimes expose toggles that write this YAML for you; power users still benefit from understanding the keys so merges with subscription templates do not silently drop sniffing during an update. After editing, reload the profile and open a fresh HTTPS site while watching the connections pane: hostnames should begin to replace anonymous IPs for flows that carry SNI. If your client offers a verbose debug mode, enable it temporarily—noise is acceptable during triage, silence is not.

skip-domain, force-domain, and when to trim noise

Real profiles are never minimal. Some infrastructure legitimately connects to IPs by design; others generate enormous chatter on hostnames you never want to special-case. The skip-domain and force-domain lists tune aggressiveness. Use skip-domain to exempt internal suffixes such as +.corp.local or management VLANs where sniffing adds CPU without improving decisions. Use force-domain when you know certain CDNs require consistent treatment—community examples often mention streaming providers—yet always document why a name landed on the list so the next you does not fear deleting stale lines. 

# Optional tuning examples (illustrative)
  skip-domain:
    - '+.lan'
    - '+.internal'
  force-domain:
    - '+.google.com'

Prefix forms like +. follow the same matching conventions as elsewhere in Meta-class rulesets; if your build uses different glob semantics, trust the upstream manual over this page. The goal is not to copy-paste a mega-list from a forum thread, but to start with a tight set and expand only when logs prove the need.

override-destination and parse-pure-ip: advanced levers

Some users enable override-destination so that, after sniffing recovers a hostname, the dataplane aligns destination metadata with that hostname for subsequent modules. That can fix stubborn mismatches between IP-based routing leftovers and domain policies, but it also interacts with redistributed routes in subtle ways—treat it as an advanced switch you turn on only after baseline sniffing works. Similarly, parse-pure-ip (or equivalently named options in your revision) controls whether flows without SNI should attempt reverse lookups or remain purely numeric. On residential networks, indiscriminate reverse DNS can be slow or misleading; on servers with stable PTR records it may help. Read release notes: Meta-class cores evolve quickly, and the exact spelling of these booleans can change between minor versions.

Pairing Sniffer output with DOMAIN rules and providers

Once hostnames appear, your existing DOMAIN and DOMAIN-SUFFIX entries behave as authors intended—assuming order is sane. Insert high-confidence local overrides (banking, hospital portals, university VPN landing pages) near the top, followed by provider-backed lists, then regional GEOIP shortcuts, and finally MATCH. Sniffer does not automatically promote Google into a special group; it simply makes DOMAIN-SUFFIX,google.com viable again. If you import massive community sets, remember that first match wins: a broad line that catches *.cloudfront.net may starve a more specific line below unless you reorder or split providers into logical files you control locally.

Users blending Sniffer with PROCESS-NAME rules should decide precedence deliberately. If a domain rule sends a browser to Proxy but a process rule sends the same binary to DIRECT, whichever line evaluates first wins—document the intent in comments. For many households the clean split is: sniff domains for site-based policy, process rules for binaries that share CDNs across countries. Neither feature replaces the other; together they reduce drama.

QUIC, HTTP/3, and UDP 443

Modern browsers negotiate QUIC aggressively. If you only sniff TLS over TCP, some sessions may still look opaque until QUIC coverage exists. Ensure your QUIC port list includes the UDP ports your applications use; corporate intercepts occasionally move ports, and game launchers invent creative ones. When in doubt, capture a short session log, identify the UDP five-tuple, and compare against your YAML. After enabling QUIC sniffing, revisit UDP firewall rules—some routers treat UDP/443 differently from TCP/443, and OS-level firewalls may need explicit allowances for the TUN interface.

Step-by-step workflow you can repeat

1Stabilize TUN and verify flows reach the core

Open a test site with TUN enabled; confirm counters move and the exit node matches expectations. If system proxy mode alone is active, consider upgrading to TUN for consistent capture before touching sniffing.

2Add the sniffer block with TLS and QUIC

Paste the skeleton, reload, and trigger a fresh HTTPS request. Compare log entries before and after: hostnames should emerge where only IPs sat previously.

3Insert DOMAIN rules in the correct region

Move or duplicate critical DOMAIN lines above lazy catch-alls. Remove duplicate contradictions introduced during experimentation—diff your YAML like application code.

4Cross-check DNS separately

If hostnames appear yet policies misfire, pivot to resolver settings, FakeIP toggles, and fallback DNS order. Misaligned DNS can still produce confusing results even with perfect sniffing.

5Document skip/force lists as you grow them

One-line comments per suffix prevent future you from treating the file as haunted. Version-control private fragments when possible.

Troubleshooting checklist

  • Sniffer disabled after merge: subscription generators sometimes overwrite local maps—use includes or anchors so your sniffer: stanza survives regeneration.
  • Esoteric ports: non-standard TLS ports need explicit entries under the TLS sniff port list, not just 443.
  • Encrypted Client Hello (ECH): as adoption grows, some flows may hide SNI from passive observers—watch upstream Mihomo notes for mitigation strategies; IP fallbacks may temporarily return.
  • Double VPNs: nested tunnels can reorder packets such that the core sees inner IPs only—simplify topology before blaming Sniffer.
  • Old cores: upgrade when release notes mention parser fixes; TLS extensions evolve.

Pitfalls that waste afternoons

  • Expecting miracles on non-TLS flows: raw IP services without SNI remain IP-shaped unless DNS or PTR saves you—design policies accordingly.
  • Ignoring rule order: Sniffer success plus a misplaced MATCH still yields wrong outbound.
  • Copying giant skip lists blindly: you may accidentally exempt the exact host you wanted to proxy.
  • Privacy misconceptions: Sniffer classification is local to your core; it does not publish hostnames to third parties by itself—still, understand your threat model.

Verification habits for long-term sanity

After each profile change, run three quick checks: trigger a known HTTPS domain that should hit a specific proxy group; trigger a domestic site that should remain direct; open a QUIC-heavy app and confirm UDP flows list recognizable hostnames. Save redacted screenshots when a configuration finally behaves—future debugging benefits from proof, not memory. When collaborating in forums, share YAML fragments and core versions instead of vague adjectives like “broken.”

Open source, downloads, and trust

Mihomo publishes sources and changelogs so you can verify parser behavior and participate in issues when new TLS extensions land. For installers, prefer the official Clash download page; treat GitHub as transparency for code, not the only channel for obtaining binaries when site distribution exists.

Summary

Sniffer in Clash Meta and Mihomo restores hostname visibility for HTTPS and modern QUIC flows so DOMAIN-based split routing can evaluate as authors intended. Start from a working TUN path, enable structured sniff maps for TLS and QUIC, tune skip-domain and force-domain sparingly, and keep rules ordered with precision lines ahead of lazy GEOIP or MATCH catch-alls. Pair with sound DNS hygiene from FakeIP and resolver guidance, and use PROCESS-NAME when executables—not hostnames—should drive policy. Compared with flattening everything into IP-CIDR spreadsheets, sniffing is the boring infrastructure that makes expressive domain rules honest again.

When logs show names instead of opaque numbers, your policy stops fighting the encryption stack and starts matching how humans think about sites and services.

Download Clash for free and experience the difference

Clash Meta HTTPS routing Sniffer

Enable Sniffer alongside TUN so TLS and QUIC flows expose hostnames—then your DOMAIN and DOMAIN-SUFFIX rules finally line up with what you see in the browser.

TLS & QUIC

Sniff common HTTPS and HTTP/3 ports for SNI-aware rules

Domain-first policy

Pair with ordered DOMAIN lines above GEOIP/MATCH

Tunable lists

skip-domain / force-domain for LAN and CDN edge cases

DNS companion

Still align FakeIP and resolvers when rules miss

Download for Windows Download for macOS View Configuration Guide

Previous & Next

Related Reading

Tutorial

Complete TUN Mode Setup Guide for Clash Verge Rev (Windows / macOS)

 Advanced Config

Ultimate Meta Core DNS Leak Prevention Guide: FakeIP, DoH, DoT Complete Setup (2026)
HTTPS still an IP?

Turn on Sniffer for TLS and QUIC, then reload—DOMAIN rules need hostnames the core can read from handshakes.

Download Free Client